UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36

Steps to reproduce the problem:
1. Host the following HTML on a website.
<html><body><link rel="stylesheet" href="http://cdnjs.runsignup.com/ajax/libs/pushy/1.1.2/css/pushy.min.css" integrity="sha256-gLzuRXjdchL4hw3rJV2qaLx1La3q64na8i+1Ayidcb4=" crossorigin="anonymous" /></body></html>
2.  Go to the page you created.
3.  Open the develop tools.
4.  Reload the page.

What is the expected behavior?
pushy.min.css should load without a CORS issue.

What went wrong?
At step 2, Chrome makes web requests for pushy.min.css and push.min.css.map without an Origin header (I saw this in wireshark).  Chrome then caches this new version, but it doesn't have Vary: Origin, so the next page reload gets a CORS issue (No 'Access-Control-Allow-Origin' header is present on the requested resource.)

Did this work before? N/A 

Chrome version: 71.0.3578.98  Channel: stable
OS Version: OS X 10.14.2
Flash Version: 

This seems like it might be related to CSS with a source map.  Also, the example might not work as we'll likely update our CDN to always return Vary: Origin.  However, if you host the file on CloudFront, you can see the same issue because CloudFront will not add Vary: Origin if no Origin is passed in.  You can probably replicate on other CDNs if they don't set Vary: Origin when there's no Origin header.