Even if the fetch doesn’t have first-party cookies/authentication, there’s still there’s things to keep in mind depending on the trust level of the code. For example, is it okay for the untrusted code to access network services on the user’s localhost (like Zoom) or home network (like HomeAssistant, Philips Hue, WiFi router firmware)? These should be blocked by CORS and are sometimes blocked by the browser but it’s something to keep in mind. Phishing or exfiltration of data? Degrading experience or consuming the user’s bandwidth allowance by making too many requests? These concerns may or may not be relevant depending on use-case and the level of lockdown on the iframe. A good strategy is to allow-list the resources the iframe can fetch using content-security-policy, which is well supported in browsers and there’s a browser-level facility for receiving violation logs (although maybe that was phased out?).
