The Page Model API should also on requests methods other than OPTIONS (GET, POST, etc) return explicit allowed origin in case the allowed origin is already set with

Access-Control-Allow-Origin: *

In case the Origin is whitelisted via hst:allowOrigins also the right explicit Access-Control-Allow-Origin should be set.

Since we now also need to set the right origin for for example POST requests, we cannot fully rely on the 'Origin' header to be present in the request: See CMS-12155. Therefor, if the origin header is missing, we fallback to the referer and if that one is missing too, we fallback to the server name. Fallback on the Referer is also what OWASP recommends for CSRF protection hence best to fallback to when the Origin is missing

OWASP:

Identifying Source Origin (via Origin/Referer header) Checking the Origin Header If the Origin header is present, verify that its value matches the target origin. Unlike the Referer, the Origin header will be present in HTTP requests that originate from an HTTPS URL. Checking the Referer Header If the Origin header is not present, verify the hostname in the Referer header matches the target origin. This method of CSRF mitigation is also commonly used with unauthenticated requests, such as requests made prior to establishing a session state, which is required to keep track of a synchronization token.