If a server accepts cross site XHTMLRequests (access-control-allow-origin), shouldn't t开发者_JS百科he server enforce a protection against cross site request forgery (CSRF)?
It depends. Generally speaking, if the request causes permanent changes, and you don't want people arbitrarily causing changes, CSRF protection is highly advised.
The server should not enforce that but the application should, whenever it has critical operations done via a non human validated (i.e CAPTCHA) request.
Yes. You should always protect against CSRF in general.
 
         
                                         
                                         
                                         
                                        ![Interactive visualization of a graph in python [closed]](https://www.devze.com/res/2023/04-10/09/92d32fe8c0d22fb96bd6f6e8b7d1f457.gif) 
                                         
                                         
                                         
                                         加载中,请稍侯......
 加载中,请稍侯......
      
精彩评论