It may be tempting to drop the CSRF tokens – CORS is giving us powerful mechanism for discovering that request was sent from different origin – the Origin header. Unfortunately it’s not yet implemented well (to my personal preference) by all industry-leading browsers, so we cannot rely on this header just yet.
The Internet Explorer and Edge doesn’t do any better – no Origin header is sent when posting form (didn’t bother to find if this is a bug or feature in this case – just checked how it behaves).
Google Chrome does good job in that topic – a simple form posted to different origin contains Origin header.
If only all cross-origin, non-get requests contained Origin header, the web would be a better place… ;).
- Bug 446344 – Implement Origin header CSRF mitigation (fixed, but disabled by default)