Subresource fetch requests in no-cors mode doesn't come with an Origin header, but the preflight requests we send for PNA include the "Origin" header. This is so that websites can use it to gate access only to websites they trust even though it leaks some information. We think the trade-off is worth it because in order to exploit this leak, you have to be on the private network of the user. We should probably still call this out in the spec.
Subresource fetch requests in no-cors mode doesn't come with an
Origin
header, but the preflight requests we send for PNA include the "Origin" header. This is so that websites can use it to gate access only to websites they trust even though it leaks some information. We think the trade-off is worth it because in order to exploit this leak, you have to be on the private network of the user. We should probably still call this out in the spec.