Yes, the original CSRF attack using a plain html form does not even require JavaScript. CORS does not address this scenario.

But cross-domain post is only allowed if the payload is form data encoded. A Json payload from JavaScript would be blocked by default, as would other methods beyond get and post. Therefore you usually don’t have to worry about CSRF for a JavaScript API.

CORS is a a way to enable cross-domain calls from JavaScript without introducing the CSRF issue.

> Isn't that what CSRF protections are for, not CORS?

Without the same origin policy CSRF protections would be trivial to circumvent, since you’d be able to read the CSRF token from any page.