Site accepting cross-site XHTMLRequest should always require XSRF security?

If a server accepts cross site XHTMLRequests (access-control-allow-origin), shouldn't the server enforce a protection against cross site request forgery (CSRF)?

Solution

It depends. Generally speaking, if the request causes permanent changes, and you don't want people arbitrarily causing changes, CSRF protection is highly advised.

How to pass along CSRF token in an AJAX post request for a form?
Cross Domain Form POSTing
How to set 'SameSite' on a cookie from within a Java application?
CSRF cookie error after Django 3.2 update (DRF with token authentication)
SpringBoot + React: SpringBoot not checking CSRF token
Django Rest Framework remove csrf
Disable CSRF token on login form
django CSRF token cookie not set for some users
Why does my CSRF token validation fail when deleting multiple entries in PHP?
Get the CSRF token in test
Symfony 4.3 returning invalid CSRF token always
Django - Login - Forbidden (CSRF token missing or incorrect.):
Where to store JWT in browser? How to protect against CSRF?
How csurf middleware validates tokens?
Why does CSRF require client changes?
How to add assign csrf token in the HTML submit form
How can I make Sinatra use CSRF Authenticity tokens?
Laravel 11 - Disable CSRF for a route
Preventing CSRF with the same-site cookie attribute
Does a proper CORS setup prevent CSRF attack?
api endpoint not doing CSRF token validation on Sanctum - CSRF Token Mismatch
How to solve "CSRF Token Mismatch" in Laravel
django CSRF_TRUSTED_ORIGINS not working as expected
How do I set a wildcard for CSRF_TRUSTED_ORIGINS in Django?
CSRF token mismatch in post request in 3.6 version
Spring Boot + Security + Thymeleaf and CSRF token not injected automatically
CSRF token requirement if implemented JWT
Jenkins plugin stapler invalid header
How can I embed django csrf token straight into HTML?
How can I get the csrftoken token in the view directly?