Currently we use “Referer” in the header when sending requests to identity providers. “Origin” on the other hand, is a more modern concept and its semantics agree with the value we have. As a result, we decided to use “Origin” instead during a recent discussion with Safari and Firefox. In particular:
Chrome will use "Origin" instead of "Referer" for the requests that need to expose the RP
Chrome will send no Origin (instead of "Origin: null") for requests that do not expose the RP