In our WebSEAL-hosted IIS environment, our QS 2.0.6 mashup receives this CORS error often, typically visible only in the browser Dev Tools. It occurs much more often in Chrome, but does occur in Internet explorer as well.
At its worst, It redirects the user entirely to the windows_authentication URL, and renders a blank page.
I've tried adding a Access-Control-Allow-Origin header in my mashup web.config, initially for our QlikSense domain specifically, and then eventually (just to rule the potential remedy out), for "*", with no success.
Could it be that the authentication ticket is dropped somehow in our network environment?