[BUG] Support "null" value for Origin header

[raulci]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

We should consider the situation when Origin header is null (https://www.rfc-editor.org/rfc/rfc6454#section-7.3):

Whenever a user agent issues an HTTP request from a "privacy-
sensitive" context, the user agent MUST send the value "null" in the
Origin header field.

In this code, we should consider it:

// if we have an Origin header, check it against our allowlist
origin := r.Header.Get("Origin")
if origin != "" {
	parsedOrigin, err := url.Parse(origin)
	if err != nil {
		r = envError(r, ErrBadOrigin)
		cs.opts.ErrorHandler.ServeHTTP(w, r)
		return
	}
	if !sameOrigin(&requestURL, parsedOrigin) && !slices.Contains(cs.opts.TrustedOrigins, parsedOrigin.Host) {
		r = envError(r, ErrBadOrigin)
		cs.opts.ErrorHandler.ServeHTTP(w, r)
		return
	}
}

Maybe just ignore the null value in the if origin sentence:

origin := r.Header.Get("Origin")
if origin != "" && origin != "null" {
	...
}

Expected Behavior

If Origin header value is null string, the Origin header should not be checked.

Steps To Reproduce

With my current setup, the OAuth2 Hydra login process causes the POST login to be called with ‘Origin = null’.

Anything else?

I managed to configure the POST login to set up the Origin header (see https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Referrer-Policy#integration_with_html), so this error is not happening anymore, but anyway I think the null string value should be considered.

Reference: https://www.rfc-editor.org/rfc/rfc6454#section-7.3