Allow Origin header to be set (for non-browser platforms). (anza-xyz#888)

* Allow Origin header to be set (for non-browser platforms).

* Add changeset

* Runtime error in Node/browser environments in dev

* Add tests. Allow `Origin` in Node build. Expand on the changeset.

---------

Co-authored-by: Steven Luscher <steven.luscher@anza.xyz>

Author: prashanFOMO

.changeset/eager-lizards-stand.md

@@ -0,0 +1,5 @@
+---
+'@solana/rpc-transport-http': minor
+---
+
+The React Native and Node builds now permit you to set the `Origin` header. This header continues to be forbidden in the browser build, as it features on the list of forbidden request headers: https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_request_header

packages/rpc-transport-http/src/__tests__/http-transport-headers-test.ts

@@ -27,7 +27,6 @@ describe('assertIsAllowedHttpRequestHeader', () => {
         'Expect',
         'Host',
         'Keep-Alive',
-        'Origin',
         'Permissions-Policy',
         'Proxy-Anything',
         'Proxy-Authenticate',
@@ -64,6 +63,17 @@ describe('assertIsAllowedHttpRequestHeader', () => {
             );
         });
     }
+    if (__BROWSER__) {
+        it('throws when called with the `Origin` header', () => {
+            expect(() => {
+                assertIsAllowedHttpRequestHeaders({ Origin: 'https://spoofed.site' });
+            }).toThrow(
+                new SolanaError(SOLANA_ERROR__RPC__TRANSPORT_HTTP_HEADER_FORBIDDEN, {
+                    headers: ['Origin'],
+                }),
+            );
+        });
+    }
     ['Authorization', 'Content-Language', 'Solana-Client'].forEach(allowedHeader => {
         it('does not throw when called with the header `' + allowedHeader + '`', () => {
             expect(() => {

packages/rpc-transport-http/src/http-transport-headers.ts

@@ -33,7 +33,10 @@ type ForbiddenHeaders =
     | 'Expect'
     | 'Host'
     | 'Keep-Alive'
-    | 'Origin'
+    // Similar to `Accept-Encoding`, we don't have a way to target TypeScript types depending on
+    // which platform you are authoring for. `Origin` is therefore omitted from the forbidden
+    // headers type, but is still a runtime error in dev mode when supplied in a browser context.
+    // | 'Origin'
     | 'Permissions-Policy'
     | 'Referer'
     | 'TE'
@@ -64,7 +67,6 @@ const FORBIDDEN_HEADERS: Record<string, boolean> = /* @__PURE__ */ Object.assign
         expect: true,
         host: true,
         'keep-alive': true,
-        origin: true,
         'permissions-policy': true,
         // Prefix matching is implemented in code, below.
         // 'proxy-': true,
@@ -77,6 +79,7 @@ const FORBIDDEN_HEADERS: Record<string, boolean> = /* @__PURE__ */ Object.assign
         via: true,
     },
     __NODEJS__ ? undefined : { 'accept-encoding': true },
+    __BROWSER__ ? { origin: true } : undefined,
 );
 
 export function assertIsAllowedHttpRequestHeaders(