It's super finicky and will call the .onerror method if anything goes wrong. There is no way to know why the onerror method was called.
When requesting a resource on the same domain other browsers don't require
Access-Control-Allow-Origin:* to be set.
XDomainRequest will call onerror if this header is not set - even though it is technically not CORS. XDomainRequest expects that it will only be used for CORS and not same origin requests.