We had some CORS logic that relied on looking at the `Origin` header for setting the appropriate `Access-Control-Allow-Origin` response. The page that relied on this looked something like: ``` <html> ... <script crossorigin="anonymous" src="..."></script> <script async="async" crossorigin="anonymous" src="..."></script> <script async="async" crossorigin="anonymous" src="..."></script> ... </html> ``` We noticed that only the first JS request included the `Origin` header. The two async requests did not include it. Even more strangely, it seems like the non-async resource acts like some sort of toggle that prevents `Origin` from being added for all future JS resource requests. For example: ``` # The below will send `Origin` for the first request and not for the second and third <script some-non-async...> <script async="async"...> <script async="async"...> # The below will send `Origin` for the first and second request and not the third <script async="async"...> <script some-non-async...> <script async="async"...> # The below will send `Origin` for all the requests <script async="async"...> <script async="async"...> <script some-non-async...> ``` This behavior is reproducible on the latest Safari as well as the latest WebKit nightly.