PSA: Use Origin header instead of Referer in FedCM requests starting from M110

[FedCM developer newsletter]

Currently we use “Referer” in the header when sending requests to identity providers. “Origin” on the other hand, is a more modern concept and its semantics agree with the value we have. As a result, we decided to use “Origin” instead during a recent discussion with Safari and Firefox. In particular:

• Chrome will use "Origin" instead of "Referer" for the requests that need to expose the RP

• Chrome will send no Origin (instead of "Origin: null") for requests that do not expose the RP

This change is effective in Chrome M110 (Stable release on Feb 7, 2023). If you have already implemented the "Referer" header, it's better to check both "Referer" and "Origin" to make sure FedCM API works on early Chrome clients (e.g. M108, M109) as well.