403 Forbidden if origin header not included for JSON authorization_endpoint response

[tomlarkworthy]

The following is a 403

curl 'https://indieauth.com/auth' -X POST -H 'accept: application/json' \
-H 'referer: https://endpointservices.static.observableusercontent.com/'

The following works

curl 'https://indieauth.com/auth' -X POST -H 'accept: application/json' \
-H 'referer: https://endpointservices.static.observableusercontent.com/' \
-H 'origin: https://endpointservices.static.observableusercontent.com'

Looks like it gets bounced at the nginx level.

Why am I sending a referer header but not an origin header? I am hosting code in a pupeteer instance and when you disable CORS thats how it sends requests (and I don't seem to be able to get rid of the referer header) https://observablehq.com/@endpointservices/serverless-cells

So Chrome B.S. of some sorts. It's not blocking me I can just use the form response instead.

[tomlarkworthy]

Someone has had some weird interaction leading to 403 with sinatra before: https://serverfault.com/questions/690540/getting-403-forbidden-w-referer-on-nginxpassenger

Seems close to the symptoms though not exactly the same.

Pretty sure its this:

https://stackoverflow.com/questions/10509774/sinatra-and-rack-protection-setting