Can you explain the risk with regards to no-cors requests? Like presumably an attacker requesting an image isn't scary, right? I'd think the real issue would be the attacker making credential'd requests.
The point is that the endpoint can be anything, it doesn't need to have anything to do with images. But because of the context of the request, it's no cors.
Right but that's why CORS exists, so I'm trying to figure out what this mitigation is for. Like, you can't just fetch with credentials by accident - I guess if you don't use http cookies, which sure that's fine, maybe you can?
This isn't my area of security so I'm trying to figure out what the scenario is supposed to be where this mitigation is important.