我在nodejs做白名单网址设置遇到的bug

Firefox的req headers没有origin

const jwtService = require('../services/JwtService');
module.exports = function(req, res, next) {
    const webHostWhitelist = [
        'http://xx.vip.ebay.com',
        'https://xxx.vip.qa.ebay.com',
        'http://localhost:8080'];
    let token;
    let origin;
    let userAgent = req.headers['user-agent'];
    **if (userAgent.indexOf('Firefox') > -1) {
        let host = req.headers['host'];
        let refer = req.headers['referer'] || req.headers['referered'];
        let protocol = refer.split(host)[0];
        origin = protocol + host;
    } else {
        origin = req.headers.origin;
    }**

    if (webHostWhitelist.includes(origin)) {
        if (req.headers && req.headers.token) {
            token = req.headers.token;
        } else if (req.param('token')) {
            token = req.param('token');
            delete req.query.token; // We delete the token from param to not mess with blueprints
        } else {
            return res.json(401, { err: 'No Authorization header was found' });
        }

        if (token.length <= 0) {
            return res.json(401, { err: 'Format is token: [token]' });
        }
        jwtService.verify(token, (err, token) => {
            if (err) {
                return res.json(401, { err: 'Invalid Token!' });
            }
            req.token = token; // This is the decrypted token or the payload you provided
            next();
        });
    } else {
        res.status(400).json('You are not authenticated to access this resource.');
    }
};