[SOLVED] How come i can display an image from another website even though it doesn't have CORS headers?

How come i can display an image from another website even though it doesn't have CORS headers?

I'm trying to understand CORS and CSRF.

From what I understand, unless a website has CORS headers permitting cross-site resource sharing, the following should not work:

An HTML page on site 1. An image on site 2. The HTML page has an image tag linking to the image.

Unless there are CORS headers, the browser should prevent the HTML page displaying the image? I checked the network tab in developer tools in chrome, and the response headers of the image did not have any CORS headers that I could see:

Access-Control-Allow-Origin
Access-Control-Allow-Methods
Access-Control-Allow-Headers

It had none of the above from what I can tell.

So how come the image displayed?

Thanks

Solution

The cross origin sharing standard only covers the following:

Invocations of the XMLHttpRequest or Fetch APIs.
Web Fonts (for cross-domain font usage in @font-face within CSS), so that servers can deploy TrueType fonts that can only be loaded cross-origin and used by web sites that are permitted to do so.
WebGL textures.
Images/video frames drawn to a canvas using drawImage().
CSS Shapes from images.

source: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#what_requests_use_cors