Clarify treatment of CORS-enabled requests

[letitz]

Section 3.1. Upgradeable Content states:

We further limit this category in § 4.4 Should fetching request be blocked as mixed content? by force-failing any CORS-enabled request. This means, for example, that mixed content images loaded via <img crossorigin ...> will be blocked.

However section 4.4. Should fetching request be blocked as mixed content? does not seem to make such an exception.

At least one of the two sections seems like it needs revising. Which is it?

[annevk]

As long as we keep

The user agent has been instructed to allow mixed content, as described in § 7.2 User Controls).

I suspect the latter should be modified so that even when the user allows mixed content requests, it's still not allowed for CORS. I think Mozilla would be okay with dropping the UI overrides at this point though.