[ddworken]

In the web, requests are made in either `cors` mode or `no-cors` mode. In `cors` mode, the `Origin` header is sent in the request. So yes, in `cors` mode the server could reject the request based on the `Origin` header. But in `no-cors` mode (the default if you do something like `<img src='...'>`) the `Origin` header isn't set, so CORS doesn't help defend against any attacks.

[jonny_eh]

But of course, the server could reject no-cors requests, or any request missing an Origin header.

[staticassertion]

Can you explain the risk with regards to no-cors requests? Like presumably an attacker requesting an image isn't scary, right? I'd think the real issue would be the attacker making credential'd requests.

[bmm6o]

The point is that the endpoint can be anything, it doesn't need to have anything to do with images. But because of the context of the request, it's no cors.

[staticassertion]

Right but that's why CORS exists, so I'm trying to figure out what this mitigation is for. Like, you can't just fetch with credentials by accident - I guess if you don't use http cookies, which sure that's fine, maybe you can?

This isn't my area of security so I'm trying to figure out what the scenario is supposed to be where this mitigation is important.