Possibly incorrect implementation

In [the outline](https://tools.ietf.org/id/draft-abarth-origin-03.html) for a "participating server", the lack of presence of an `Origin` header is interpretted as a valid use case (since it is same origin) and the client may modify state on the server. It is only when a `Origin` header is specified **and** it does not match the server's whitelist is there a problem.
