If CORS is properly setup on a server to only allow a certain origins to access the server,
Is this enough to prevent CSRF attacks?
To be more specific, it is easy to make the mistake of thinking that if evil.example
cannot make a request to good.example
due to CORS then CSRF is prevented. There are two problems being overlooked, however:
CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.example
make a request to good.example
. However, imagine someone builds a native app or whatever which has a form that POSTs things to your site. XSRF tokens are the only way to prevent that.
Is it easy to overlook the fact that CORS is only for JS request. A regular form on evil.example
that POSTs back to good.example
will still work despite CORS.
For these reasons, CORS is not a good replacement for XSRF tokens. It is best to use both.