If a server accepts cross site XHTMLRequests (access-control-allow-origin), shouldn't the server enforce a protection against cross site request forgery (CSRF)?
It depends. Generally speaking, if the request causes permanent changes, and you don't want people arbitrarily causing changes, CSRF protection is highly advised.