You should protect against CSRF on any inputs that can change state imo.
Cross-site request forgery
Cross-origin resource sharing
If no one from another origin is able to make requests to your site (CORS disabled),
then CSRF is redundant imo.
But that's not what CORS does. Re-read the warning in the article.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.