Safari Dev Preview seems to successfully set Origin header on these cases:
* Cross Origin GET
* Same Origin POST
* Cross Origin POST
But fails to do the same with Same Origin GET.
Firefox already successfully implements this and Chrome are working on fixing the same issue in their Fetch implementation.
Thanks for filing this bug.
It seems there is consensus to add the Origin header in cors mode, which would cover XHR.
It is not very clear what happens in no-cors mode, see https://github.com/whatwg/fetch/issues/225