The Origin header is used to protect the server. This is to prevent the WebSocket Hijacking attack (http://www.christian-schneider.net/CrossSiteWebSocketHijacki...) . i.e. it does not help a lot in the browser end especially in the mashup scenario.

However, the lack of the same-origin policy in WebSockets makes the presence of the same-origin policy in XMLHttpRequests questionable. I am just talking about this part where the browser does not have to restrict a connection to any origin from a given website without even a need for a CORS like whitelist.