Reword no-cors section a bit

whatwg · Jan 29, 2025 · 3ded9cd · 3ded9cd
1 parent 5062a48
commit 3ded9cd
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/fetch.bs b/fetch.bs
@@ -9114,9 +9114,9 @@ restricting the network access, the embedder is restricted in what they are allo
 to be done in a way that's opaque to the embedding origin. Only the user should have access to the
 resource, not the embedder.
 
-<p>This mechanism of fetching should not be used in new specs. However, specs should be written with
-the notion that no-CORS resources exists, and the new spec should not grant origins the ability to
-read their contents.
+<p>This mechanism of fetching should not be used in new specs. In addition, specs should be careful
+not to accidentally expose data that was retrieved using "<code>no-cors</code>", e.g., by supplying
+new mechanisms to read images without checking for this.
 
 <p>Note that this is the default request mode, so new specs should be deliberate about setting the
 request's <a for=request>mode</a> to "<code>cors</code>" or to "<code>same origin</code>", as