Why doesn't pre-flight CORS block CSRF attacks?
|Added at||2016-12-14 18:12|
Everyone says CORS doesn't do anything to defend against CSRF attacks. This is because CORS blocks outside domains from accessing (reading) resources on your domain -- but doesn't prevent the request from being processed. So evil sites can send state-changing DELETE requests, without caring that they can't read back the result.
That's all well and good.
Except for pre-flight CORS.
In this case, CORS looks at the request BEFORE it is sent, and checks whether it's legitimate. If it's not, the request is rejected.
So the DELETE request that the CSRF attacker tries to send fails the pre-flight check, and thus is rejected. The CSRF attack fails.
What am I missing here?