https://drafts.fxtf.org/css-masking/#priv-sec says:

User agents must use the potentially CORS-enabled fetch method defined by the [FETCH] specification for all <mask-source>, <clip-source> and <image> values on the mask-image, mask-border-source and clip-path properties. When fetching, user agents must use “Anonymous” mode, set the referrer source to the stylesheet’s URL and set the origin to the URL of the containing document. If this results in network errors, the effect is as if the value none had been specified.

However, Fetch doesn't define "potentially CORS-enabled fetch" and mentions it only in https://fetch.spec.whatwg.org/#goals as having once been in HTML.

Perhaps @annevk can suggest what to say instead.