Attributionsrc request seems like it should use CORS

[domfarolino]

https://wicg.github.io/attribution-reporting-api/#issue-add794c8 is a little sad to see as that's a very fundamental TODO. In particular, it is probably a security bug? All new network requests on the web platform should use CORS, and in particular, this looks like a cross-origin request whose response is useful and processed accordingly. In Chromium, this response is processed in the renderer, which seems to make it doubly important that the request use CORS.

Unfortunately neither the spec nor the implementation use CORS, which seems bad.

Can we consult our security reviewers to see if this decision was intention or has been evaluated?