web: fix authentication when using `sg start web-standalone`

Created by: slimsag

Prior to this change, the proxy server that sg start web-standalone uses to proxy requests to https://k8s.sgdev.org did not send an appropriate Origin header (it sent http://localhost:3080 or https://sourcegraph.test, NOT https://k8s.sgdev.org as we would expect.)

In #27313 (21 days ago) we hardened security by enforcing that requests to API endpoints that are not from trusted origins and do not have X-Requested-With will not be allowed to use session authentication. This introduced the issue for sg start web-standalone originally, and to workaround this @vovakulikov added X-Requested-With to all proxied requests in #27825

In #28572 (merged yesterday) I removed the proxy logic for CSRF tokens and due to a merge conflict also removed the X-Requested-With logic Vova had added.

Using X-Requested-With was a fine workaround-and bringing that logic back would've continued to workaround the issue-but sending the correct Origin header is better and will more closely mimic what is actually happening when code is deployed to production, so that is the fix I have made here.

Signed-off-by: Stephen Gutekanst stephen@sourcegraph.com