=== Selection of "null" token ===
TODO: describe why we chose "null" instead of something like "redacted" or "private" or "fail".
In some scenarios, the string "null" is sent in lieu of origin information. This is done to indicate that the cause of the request is not trustworthy, even though it may come from the same origin. Certain requests are not generally useful as state-changing triggers (like requests for stylesheets, images or window navigation) and probably should not be trusted even if sent same-origin.