I looked into this stack overflow answer to learn about CORS preflight requests. According to this answer, it is possible to do CSRF attacks when CORS is not there.
But looking at the requirements for "simple" requests that don't require preflights, I see that POST is still allowed. That can change state and delete data just like a DELETE!
That's true! CORS does not protect your site from CSRF attacks. Then again, without CORS you are also not protected from CSRF attacks. The purpose of preflight requests is just to limit your CSRF exposure to what already existed in the pre-CORS world.
But, I cannot think of a way how CSRF attack is possible, if browsers follow the Same Origin Policy. If a malicious site tried to access another site , the browser will simply prevent it, because the origin of the request is different.
Can someone explain how CSRF attack is possible, if CORS was not there?