There's no reason that resource URLs / resource domain should be accessed when authenticated, so prevent that.
PR#8922