The guard of headers created from no-cors request

In https://fetch.spec.whatwg.org/#dom-request, we set request's headers guard to "request" if _init_ is empty, even when created from a no-cors request. This allows web developers to modify headers that are not CORS-safelisted.

This seems like a spec bug.

See also: #560

@youennf @annevk @jakearchibald 

