I’ve finally figured out an answer to this. There is at least one other situation where an Origin
header may be “null”. When following a redirect during a CORS request, if the request is redirected to a URL on a different server, the Origin
header will be changed to “null”. I suppose this is considered a “privacy-sensitive context” because the browser doesn’t want to leak the original origin to the new server, since the client may not have intended to make a request to the new server in the first place.