Does the current spec take into account that unscrupulous ISPs (I'm thinking about hotel WiFi in particular) can strip the header before forwarding a request to a server?
It says they shouldn't do that. But you are never going to see enforcement, stripping headers can be sold as "security" to hotels who have no clue what they are doing.