I was just bitten hard by the new behavior that not all header checks for REST can be turned off in the config.ini: I'm always getting::

 { "error": { "status": 400, "msg": "Required Header Missing" } }

Unfortunately I've not found anything about this in any of the upgrading docs.

Looks like the 'Origin' header check is hard-coded in roundup/cgi/client.py for the API, in handle_rest we have::

        if not self.is_origin_header_ok(api=True):
            if 'HTTP_ORIGIN' not in self.env:
                msg = self._("Required Header Missing")
            else:
                msg = self._("Client is not allowed to use Rest Interface.")

            # Use code 400. Codes 401 and 403 imply that authentication
            # is needed or authenticated person is not authorized.
            # Preflight doesn't do authentication.
            output = s2b(
                '{ "error": { "status": 400, "msg": "%s" } }' % msg)
            self.reject_request(output,
                                message_type="application/json",
                                status=400)
            return

So this does not use the csrf_enforce_header_origin in the config.
From the comments it looks like this might be intended to only be hit on a preflight check. But it is hit any time a POST is issued to the tracker. Even when authenticated. I'm using Kerberos Authentication behind an apache2 webserver.

Is this intentional?
I can see why one would enforce at least one header with REST but unfortunately I have a very important legacy app that I have no influence on.