In principle, I think that all or almost all CSRF could be prevented with just ‘samesite’ cookies and careful engineering.
In practice, the same origin policy is a very good ‘safe default’ for the long tail of sited that for whatever reason don’t have proper CSRF mitigation set up.
In a broader sense, CORS also lets sites owner ‘forbid’ requests from any JavaScript that they don’t control, which allows them to narrow the scope of possible attack vectors.
I’m sure this is an incomplete answer though; I’m curious what other people think.
In principle, I think that all or almost all CSRF could be prevented with just ‘samesite’ cookies and careful engineering.
In practice, the same origin policy is a very good ‘safe default’ for the long tail of sited that for whatever reason don’t have proper CSRF mitigation set up.
In a broader sense, CORS also lets sites owner ‘forbid’ requests from any JavaScript that they don’t control, which allows them to narrow the scope of possible attack vectors.
I’m sure this is an incomplete answer though; I’m curious what other people think.