Consider changing CORP to use same-site instead of schemelessly same-site

[domenic]

This would entail replacing https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check step 5 with a simpler

 <li><p>If <var>request</var>'s <a for=request>origin</a> is <a>same site</a> with
 <var>request</var>'s <a for=request>current URL</a>'s <a for=url>origin</a>, then return
 <b>allowed</b>.

Some background in #965 (comment) and #687 (comment).

[annevk]

I think the moment "Mixed Content 2" becomes a thing making this change will be editorial, so waiting for that and then making the change seems fine to me.

cc @youennf @whatwg/security