One idea that the article doesn't convey well, in my opinion, is that the Same-Origin Policy only prevents the browser from reading the response from an HTTP server to third-party host, but it doesn't prevent the request from being issued in a first place. The CORS headers are merely a way for the server to indicate to the browser whether it is allowed to read the response of not, but it doesn't protect the server from anything.
Especially, setting the "Access-Control-Allow-Credentials" header to true means that a client which sent a request with a cookie is allowed to read the result, but whether the request is sent with a cookie or not, and will be treated as such by the server, is entirely up to the client.
So although malicious.com cannot read the details of bank.com using AJAX, it can definitely send a POST request to trigger the transfer from the user's account to a malicious account using the user's cookie (blindly so).
This is the reason proper CSRF protection must be implemented by the server, independently of whether CORS is enabled or not.
This is not entirely true. The preflight's role is exactly to prevent a post request to be sent to the server. There is no preflight only in particular cases.
This is entirely false. POST requests with headers set automatically by the user agent aren't preflight-ed. There is a preflight only in particular cases.
I don't really care where is my annoyance aimed at, I just don't want to be annoyed. All websites use cookies to track users. In this context getting consent is noise.
The medical resident analogy can't be used as an umbrella example proving that it's absurd to look for passion on a personal level. There are other professions where passion is almost always expected. Car mechanics are all about cars; plane pilots are all about planes; academics are all about whatever their subject is; architects are all about buildings and houses; anyone on the artistry side is all about their art. I believe that most engineers also have quite passion about their craft. Don't get a civil engineer started on how bridges stand unless your afternoon is free.
In a sense I feel that this current trend of promoting software development as "just a job" is yet another step in the ditch that is forming between the ideal of "software engineering" and the reality of "software development". It's the way things are going and I have no strong feeling about it one way or another, but it seems obvious to me that employers would be more attracted to someone with passion for the craft, as well as fellow passionate wanting to work among a crowd like them.
Especially, setting the "Access-Control-Allow-Credentials" header to true means that a client which sent a request with a cookie is allowed to read the result, but whether the request is sent with a cookie or not, and will be treated as such by the server, is entirely up to the client.
So although malicious.com cannot read the details of bank.com using AJAX, it can definitely send a POST request to trigger the transfer from the user's account to a malicious account using the user's cookie (blindly so).
This is the reason proper CSRF protection must be implemented by the server, independently of whether CORS is enabled or not.