Maybe I don't understand something correctly, but I'm not sure why it's required to set the origin header for CORS headers to show up at all. It's set by the user and cannot be trusted anyway. Why is it required to be in the header?

CORS_URLS_REGEX = r'/api/.*$'
CORS_ORIGIN_ALLOW_ALL = True
CORS_ALLOW_CREDENTIALS = True
CORS_REPLACE_HTTPS_REFERER = True

from corsheaders.defaults import default_headers

CORS_ALLOW_HEADERS = default_headers + (
    'Credential-Token',
)

With origin header:

Without origin header:

Any string can be send as origin:

Yes it’s user controlled. CORS only applies in the browser context to avoid accidental cross domain information leakage. The linked articles in the README cover this better than I can summarise here I’m afraid.