Created by: treuherz
Similar to CORS controls, WebSocket servers are often configured to check the Origin header of incoming requests. The config for the HTTP proxy overwrites requests' Origin header to prevent issues with CORS, but didn't previously do the same thing for WebSockets, as they are controlled by a different config key.
This Origin-limiting behaviour is recommended in RFC 6455 and is implemented in the Python websockets package, the Java websockets API and the Gorillas websocket package. I think it is common enough that c-r-a should support it out-of-the-box.
See https://github.com/treuherz/wstest for repro and test.
Fixes #10878