When enabled in a server, the header Access-Control-Allow-Origin is sent in requests. This header tells the client that the server allows requests through XMLHttpRequest from origins (domains and ports) other than the one hosting the application. Having the following header allows requests from any source, making it possible for an attacker to use JavaScript to bypass CSRF protection:
Access-Control-Allow-Origin: *