See comment (and further discussion) here.

Version 5.2.1 of the dev server introduced a very strict change to how it deals with requests in the normal setup, where you have HTML served from one origin (say, localhost:8080) and webpack serving from another (say, localhost:4000). In this case, all such requests will be blocked if the resource does not have the crossorigin attribute.

Ordinarily, such a cross-origin request would be fine; the browser sends the header sec-fetch-mode: no-cors to inform the server that it is not using CORS and, as long as the request is reasonably safe (e.g. a GET request for a stylesheet) the server will respond no matter the cross-origin status. Enforcement of cross-origin policy is left as a matter for the browser.

In webpack-dev-server 5.2.1 the maintainers implemented some enforcement of CORS in the server by returning 403 for all cross-origin requests that use this mode. Adding the crossorigin attribute causes the browser to engage its CORS enforcement, and the dev server allows this.