In our WebSEAL-hosted IIS environment, our QS 2.0.6 mashup receives this CORS error often, typically visible only in the browser Dev Tools. It occurs much more often in Chrome, but does occur in Internet explorer as well. 

At its worst, It redirects the user entirely to the windows_authentication URL, and renders a blank page.

GET https://myqliksensedomain:4244/windows_authentication/?targetId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

XMLHttpRequest cannot load https://myqliksensedomain:4244/windows_authentication/?targetId=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access. The response had HTTP status code 401.

I've tried adding a Access-Control-Allow-Origin header in my mashup web.config, initially for our QlikSense domain specifically, and then eventually (just to rule the potential remedy out), for "*", with no success. 

Could it be that the authentication ticket is dropped somehow in our network environment?

Thanks.