SafeCache policy likely fails for https->http CORS (and reverse)

Georg noticed several edge cases for the SafeCache policy in #3665 (closed). I fixed the ones he found there, but I suspect more may remain, especially for mixed-content pages with CORS requests

We need to first test this by standing up http://arunranga.com/examples/access-control/simpleXSInvocation.html or similar on a mixed-mode server.

Fixing it will be extra fun, I suspect...