I observed this when opening intern/client.html in a browser, while served from a server that requires authentication (session cookie). All resources are loaded from the same origin, so the forced CORS request imho makes no sense. Shouldn't this only be activated in case we're actually loading something from a different origin?
From @rodneyrehm on dojo/dojo2#15: