as far as my knowledge goes: there was a bug to add custom headers without a pre-flight in flash in 2013/2014.
it could happen again with any other plugin. Therefore implementing tokens is not only second-line, but should be first-line of defense :)
It looks like the Origin/Referer check would have prevented these though, yeah? (I think these are the Flash hacks that OWASP warned about.)
If you are able to set referer/origin, the check would be useless. The only thing why the check works: you can't set certain headers without a preflight because of CORS restriction.
BUT: you are right. This particular bug does not affect the referer/origin check, because some headers are blacklistet in flash.
Just wanted to display, that it happened before and planing a fail in a security system, because of another software is never a good idea.
So implementing one solution (token), instead of a solution which could break, and one solid one, is more cost effective.
Tokens are implemented in nearly every framework. Using them are most of the time the easier option.
But i like your writing, and that you supply all the information :)
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.