I'm trying to understand CORS and CSRF.
From what I understand, unless a website has CORS headers permitting cross-site resource sharing, the following should not work:
An HTML page on site 1. An image on site 2. The HTML page has an image tag linking to the image.
Unless there are CORS headers, the browser should prevent the HTML page displaying the image? I checked the network tab in developer tools in chrome, and the response headers of the image did not have any CORS headers that I could see:
Access-Control-Allow-Origin
Access-Control-Allow-Methods
Access-Control-Allow-Headers
It had none of the above from what I can tell.
So how come the image displayed?
Thanks
The cross origin sharing standard only covers the following:
source: https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#what_requests_use_cors