Since the Origin header is required with a MUST by the RFC for browsers, I think I'm ok with this, absent any evidence that it's possible to convince browsers to leave the origin header off.
8. The request MUST include a header field with the name |Origin|
[RFC6454] if the request is coming from a browser client. If
the connection is from a non-browser client, the request MAY
include this header field if the semantics of that client match
the use-case described here for browser clients. The value of
this header field is the ASCII serialization of origin of the
context in which the code establishing the connection is
running. See [RFC6454] for the details of how this header field
value is constructed.
Since the Origin header is required with a MUST by the RFC for browsers, I think I'm ok with this, absent any evidence that it's possible to convince browsers to leave the origin header off.
https:/ /tools. ietf.org/ html/rfc6455# section- 4.1
8. The request MUST include a header field with the name |Origin|
[RFC6454] if the request is coming from a browser client. If
the connection is from a non-browser client, the request MAY
include this header field if the semantics of that client match
the use-case described here for browser clients. The value of
this header field is the ASCII serialization of origin of the
context in which the code establishing the connection is
running. See [RFC6454] for the details of how this header field
value is constructed.