Many sites will also have a CSP that blocks placekitten.com along with other 3rd party img tag origins. Daring users on Firefox can circumvent this protection by browsing to about:config and setting security.csp.enabled to false.
Aye, CORS settings will break it, as will any images that get dynamically updated our loaded as you scroll etc. Also it won't catch images used as backgrounds. There are a lot of ways to break bookmarklets, intentionally, by application of security settings for other reasons (like, erm, security!), or accidentally.
