Comment 135 for bug 1409142

Since the Origin header is required with a MUST by the RFC for browsers, I think I'm ok with this, absent any evidence that it's possible to convince browsers to leave the origin header off.

https://tools.ietf.org/html/rfc6455#section-4.1

   8. The request MUST include a header field with the name |Origin|
        [RFC6454] if the request is coming from a browser client. If
        the connection is from a non-browser client, the request MAY
        include this header field if the semantics of that client match
        the use-case described here for browser clients. The value of
        this header field is the ASCII serialization of origin of the
        context in which the code establishing the connection is
        running. See [RFC6454] for the details of how this header field
        value is constructed.