I was building a website as an experiment, and tried using few ajax requests to different sites. On some sites I will get an error:
XMLHttpRequest cannot load http://example.com/path No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
When I opened Wireshark and seen what was going through the network, I could see that even on the sites that produced the error (meaning didn't have Access-Control-Allow-Origin in the response) the request was sent to the site. If I changed the response to include the Access-control-allow-origin: * header, the response will process as needed in my site.
My question is: If I was trying to do CSRF to the requested site, the response does not matter as much as the request does. As long the request was processed at example.com it doesn't matter if the response didn't have Access-Control-Allow-Origin header on it or not (assuming I don't care about the response, I just wanted the action to take place).
Am I correct and the protection is useless or I'm missing something?