Referrer and origin preflight request headers in Safari are not changing when user navigates

Question

I have two web pages hosted on a.example.com and b.example. Each web page is including a script with a <script> tag, hosted on another domain and served with correct CORS headers.

At a certain point, user navigates from a.example.com to b.example.com.

Safari has here a strange behavior: the referrer and origin headers in preflight request are filled with a.example.com, making the server sending a bad value in Access-Control-Allow-Origin (and so the script can't be executed).

Is there a way to force Safari browser to send correct origin header in that kind of scenario ?

Answer 1

Does the cache policy for the script include Vary: Origin?

Respectively is there actually a second request after navigating to b.example.com?

If not, there is a chance that Safari is actually serving the script from cache - despite the Access-Control-Allow-Origin policy forbidding it to access the resource. Which is a conforming behavior, if the cache policy isn't configured correctly.