Since a browser must send an Origin header for a cross-origin request with an unsafe method (I hope you don't use GET method for state changes), you can simply check if the origin is whitelisted.