To be more specific, it is easy to make the mistake of thinking that if evil.example cannot make a request to good.example due to CORS then CSRF is prevented. There are two problems being overlooked, however:
-
CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let
evil.examplemake a request togood.example. However, imagine someone builds a native app or whatever which has a form that POSTs things to your site. XSRF tokens are the only way to prevent that. -
Is it easy to overlook the fact that CORS is only for JS request. A regular form on
evil.examplethat POSTs back togood.examplewill still work despite CORS.
For these reasons, CORS is not a good replacement for XSRF tokens. It is best to use both.