I understand that cross-origin, "simple" requests, like GET and POST have always been allowed (but you just can't view the response), and that PUT/DELETE are blocked, or preflighted if your browser supports CORS.
I understand that allowing a GET request to be sent is harmless, as long as the response is blocked, because GET requests should be safe/idempotent (if not, that's the developer's fault for not making their API ReSTful).
I also understand from this answer, that GET and POST are typical/intentional requests made by users, eg when typing something into the URL textbox or clicking a button to post a form.
But why would a browser allow a cross-origin POST request using xhr?
So what if the user can make intentional POST requests by clicking on a button to post a form? Allowing javascript to send a POST request is a recipe for disaster, any malicious page that loads could execute a cross-origin POST request behind the scenes.
Why didn't browsers prevent this from the beginning?
If they did, then now that CORS is around, POST requests could be preflighted just like PUT/DELETE and you'd have fewer xsrf attacks.