Ignore CORS checks

[DanielHerr]

Chrome Apps are able to bypass CORS checks after adding host permissions to the manifest. It would be great if IWAs (and PWAs too, but I'm not holding my breath for that happening) were able to fetch any resources even if they don't have CORS headers declared.

An example use case is using Steam's public HTTP API, which doesn't declare CORS headers, probably because they assume it will be used by native apps not subject to such restrictions.

With the introduction of <controlledframe>, such restrictions are a pointless hassle because the IWA can simply load the desired resource in the CF and extract it.