Site accepting cross-site XHTMLRequest should always require XSRF security?

If a server accepts cross site XHTMLRequests (access-control-allow-origin), shouldn't t开发者_JS百科he server enforce a protection against cross site request forgery (CSRF)?

It depends. Generally speaking, if the request causes permanent changes, and you don't want people arbitrarily causing changes, CSRF protection is highly advised.

The server should not enforce that but the application should, whenever it has critical operations done via a non human validated (i.e CAPTCHA) request.

Yes. You should always protect against CSRF in general.