[tcheard]

Yes, but then you get people that fail to understand that CSRF only applies to a browser, and CORS only affects a user agent that implements a Same Origin Policy. And they fail to protect their resources otherwise.

They add CORS support to their server resources and get the false assumption that their resources can only ever be retrieved from a web page under their origin or an origin they have trusted (via CORS). They believe that this also protects them from malicious users making requests from outside of a browser (eg. via curl).

CORS is not security, it is loosening of security (namely SOP).

The number of times that I have had someone ask "why can someone access the endpoint via curl? I thought this was protected by CORS" makes me sad.

[X-Istence]

CSRF doesn't save you here... I can send up a CSRF token using curl just as easily...

[tcheard]

I wasn't saying a CSRF token saves you here.

All I'm saying is that security is a complicated topic. People already misunderstand things like CSRF, CORS, resource protection, etc. And they already get them wrong.

CORS is designed to loosen the security protections added by a same origin policy. It is not designed to increase security.

Piling on CSRF protections is just blurring the use case for CORS. All this is going to do is confuse people more, and more people are going to get it wrong.