'Do some browsers require the Origin header to be explicitly allowed for CORS to succeed?

Among popular CORS middleware libraries for Go is rs/cors. In its source code, above some logic that unconditionally adds Origin to the list of allowed headers, I found the following comment:

Origin is always appended as some browsers will always request for this header at preflight

🤔 I find this statement surprising... The Fetch standard (the de factor standard for the CORS protocol) states that compliant user agents set the Origin header themselves. Therefore, there should be no use for compliant user agents to require servers to explicitly list Origin in the Access-Control-Allow-Headers header.

Do some browsers actually require the Origin header to be explicitly allowed by the server for CORS to succeed? If so, what are those browsers and what is their rationale?

corshttp-headersfetchuser-agent


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

403 Forbidden vs 401 Unauthorized HTTP responses

enable Apache http Authorization header

Can HTML imports be specified using the Link HTTP header, or only with a <link> tag?

Header parameters: "Accept" and "Content-type" in a REST context

How do you get "x-" headers in Next.js

slack files & url with headers

Resources loading over https connection

How can I download a file in Python3 with urlopen() or add custom headers to urlretrieve()?

how to get the header value, if we don't know the value because the value is random from the server

Login and getting session id of the logged using Https connection in java

How to add http Headers in react js app's response

How to set X-Frame-Options header in angularjs?

Downsides of 'Access-Control-Allow-Origin: *'?

How to override header set in Apache config with more specific header in a virtual host

How to send HTTP Headers during/after HTTP Body stream? Is there spec work on this?