Using referrerpolicy="no-referrer"
seems to help. While it didn’t work in a localhost app (before I added this attribute), it worked consistently when loading the image in its own tab. One of the differences in the request headers was the absence of referer
.