CsrfPreventionRequestCycleListener tries to determine the origin of a request via interpretation of the origin header and use this to block cross origin requests. The origin header however is not very reliable. For example, when a user opens a link in a new tab, the header is not sent. Fetch Metadata Request Headers (https://w3c.github.io/webappsec-fetch-metadata/) aims to solve this via a set of well defined headers. For Wicket, sec-fetch-site is the most important: same-origin is safe, none is a user opening a link via (for example) a bookmark, same-site and cross-origin should be blocked.