It may be tempting to drop the CSRF tokens – CORS is giving us powerful mechanism for discovering that request was sent from different origin – the Origin header. Unfortunately it’s not yet implemented well (to my personal preference) by all industry-leading browsers, so we cannot rely on this header just yet.
You should be aware that Mozilla Firefox is not sending Origin header for cross-origin form POST requests. The bug is resolved but it’s still experimental feature which is disabled by default.
The Internet Explorer and Edge doesn’t do any better – no Origin header is sent when posting form (didn’t bother to find if this is a bug or feature in this case – just checked how it behaves).
Google Chrome does good job in that topic – a simple form posted to different origin contains Origin header.
If only all cross-origin, non-get requests contained Origin header, the web would be a better place… ;).
Useful References:
- Bug 446344 – Implement Origin header CSRF mitigation (fixed, but disabled by default)
- https://docs.spring.io/spring-security/site/docs/current/reference/html/csrf.html
- https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Protecting_REST_Services:_Use_of_Custom_Request_Headers