After moving the CORS/CSP checks to network process, we have lost test coverage since http/tests/quicklook/same-origin-xmlhttprequest-allowed.html does not use a valid quicklook resource URL.
<rdar://problem/40702308>
*** This bug has been marked as a duplicate of bug 186202 ***
Reopening, wrong click