Safari Dev Preview seems to successfully set Origin header on these cases:
* Cross Origin GET
* Same Origin POST
* Cross Origin POST
But fails to do the same with Same Origin GET.
Firefox already successfully implements this and Chrome are working on fixing the same issue in their Fetch implementation.
Thanks for filing this bug.
It seems there is consensus to add the Origin header in cors mode, which would cover XHR.
It is not very clear what happens in no-cors mode, see https://github.com/whatwg/fetch/issues/225
It seems this is fixed; the relevant subtests in api/basic/request-headers.any.js pass and the chromium bug was marked as WontFix.