As documented in Authentication & Authorization: Calling APIs from Frontend a frontend app needs to set, among others, the origin header. This I do and my app works.
Attempt to set a forbidden header was denied: origin
I removed the origin header and the message disappears, and importantly, my app still works!
I'm interested, what's up here? Why the documented requirement to set the origin header?
I noticed this too.
My assumption is that the author of the mindsphere documentation was using the fetch polyfill for some reason (IE 9?!) instead of the native fetch browser API and therefore hasn't noticed that the Origin header can't be set when using the native implementation.
The fetch spec clearly states which headers have to stay in the full control of the browser:
Accept-Charset Accept-Encoding Access-Control-Request-Headers Access-Control-Request-Method Connection Content-Length Cookie Cookie2 Date DNT Expect Host Keep-Alive Origin Proxy- Sec- Referer TE Trailer Transfer-Encoding Upgrade Via
I think that the mindsphre documentation needs to be improved to reflect the current state of the implementation.