Sure you can, you can make any request you want without CORS, the content is just opaque to you (for example you can display an image but not manipulate its pixels).
You do this for example with `fetch('./any-resource', {mode: 'no-cors'})`.
You can then for example do a `.then(x => x.blob())` and then use the resulting blob as an image.
This is completely incorrect. You can not make any XHR GET or POST requests cross-origin without CORS.
Fonts also do not require CORS, you can link to them in your CSS/styles/etc without technical restrictions (might be legal restrictions of course).