Everyone says CORS doesn't do anything to defend against CSRF attacks. This is because CORS blocks outside domains from accessing (reading) resources on your domain -- but doesn't prevent the request from being processed. So evil sites can send state-changing DELETE requests, without caring that they can't read back the result.
That's all well and good.
Except for pre-flight CORS.
In this case, CORS looks at the request BEFORE it is sent, and checks whether it's legitimate. If it's not, the request is rejected.
So the DELETE request that the CSRF attacker tries to send fails the pre-flight check, and thus is rejected. The CSRF attack fails.
What am I missing here?
Pre-flight requests don't prevent CSRF in general. For example not all cross-domain ajax calls generate a pre-flight request, plain POSTs don't. There may be specific cases when pre-flight requests do indeed help to reduce the risk though.
Another problem is the same as with checking the referer/origin. While it is not possible for an attacker to override referer or origin in plain Javascript on a malicious website, it may be possibble to do so using a suitable browser plugin, like an old version of Flash for instance. If a browser plugin allows to do that, the attacker might be able to send cross-origin requests without a pre-flight. So you don't want to rely on pre-flight requests only.