Why does a cross-origin simple POST request not trigger a preflight check?

Question

Why does a cross-origin simple POST request not trigger a preflight check? From the Mozilla docs:

A request that doesn’t trigger a CORS preflight—a so-called “simple request”...

The only allowed methods are:
    - GET
    - HEAD
    - POST

...

The only allowed values for the Content-Type header are:
    - application/x-www-form-urlencoded
    - multipart/form-data
    - text/plain

However if a user visits evilsite.com, and they are tricked into filling out a form that simply has a form action="http://elsewhere.com", and the servers on elsewhere.com are expecting valid post requests with multipart/form-data (or any of the other 2 really) wouldn't that NOT protect the servers on elsewhere.com? Shouldn't these in fact be subject to the CORS preflight checks? What am I missing here

Answer 1

...the servers on elsewhere.com are expecting valid post requests with multipart/form-data (or any of the other 2 really) wouldn't that NOT protect the servers on elsewhere.com?

That's right, it wouldn't, and it would be a major security failure on the part of elsewhere.com to "expect valid post requests". That attack—Cross-Site Request Forgery—exists with or without CORS, and it is up to the server to protect against it.

CORS was introduced to make cross-origin requests possible without introducing any new security problems. It doesn't address this existing security problem because doing so would have a cost (the preflight requests aren't free) but no benefit (since servers would still have to protect themselves from browsers that aren't using CORS).

I've written about this in more detail in this answer.