It looks like we simply need to clear the origin header on cross-origin redirects.
Created attachment 252087 [details] Patch
Comment on attachment 252087 [details] Patch Oh yes, nice catch
Comment on attachment 252087 [details] Patch Clearing flags on attachment: 252087 Committed r183672: <http://trac.webkit.org/changeset/183672>
All reviewed patches have been landed. Closing bug.