Does a proper CORS setup prevent CSRF attack?
If CORS is properly setup on a server to only allow a certain origins to access the server,
Is this enough to prevent CSRF attacks?
To be more specific, it is easy to make the mistake of thinking that if evil.com cannot make a request to good.com due to CORS then CSRF is prevented. There are two problems being overlooked, however:
CORS is respected by the browsers only. That means Google Chrome will obey CORS and not let evil.com make a request to good.com. However, imagine someone builds a native app or whatever which has a form that POSTs things to your site. XSRF tokens are the only way to prevent that.
Is it easy to overlook the fact that CORS is only for JS request. A regular form on evil.com that POSTs back to good.com will still work despite CORS.
For these reasons, CORS is not a good replacement for XSRF tokens. It is best to use both.
No!
CORS enables sharing between two domains where XSRF is attacking method that does not depend on CORS in anyway.
I don't understand what you mean by "CORS is properly setup" but when attacking with XSRF, browser don't ask for CORS headers on server.
CORS is not security :)