[lyu07282]

I don't know why you are getting downvoted, you do have a point. Some of the comments appear knowing what CORS headers are, but neither their purpose nor how it relates to CSRF it seems, which is worrying. It's not meant as disparaging. My university thought a course on OWASP thankfully, otherwise I'll probably also be oblivious.

[_cenw]

If you're going cross-domain with XHR, I'd hope you're mostly sending json request bodies and not forms.

Though to be fair, a lot of web frameworks have methods to bind named inputs that allow either.

[bawolff]

This misses the point a bit. CSRF usually applies to people who want only same domain requests and dont realize that cross domain is an option for the attacker.

In the modern web its much less of an issue due to samesite cookies being default .