Great article. This solution only partly addresses the problem from the browser's point of view. The proxy server can still be tricked by spoofing the origin header using a tool like curl. There's really no way your proxy server would differentiate a spoofed request from a request that originated from the browser.