I'm trying to enhance my CSRF-prevention by checking the origin and referer header serverside before accepting or blocking requests from the client.
Referring to this site at owasp.org one should block all requests that do neither include an origin or a referer header:
What to do when Both Origin and Referer Aren't Present
If neither of these headers is present, which should be VERY rare, you can either accept or block the request. We recommend blocking, (...)
BUT ... when I now open a new tab and try to load my page for first time, my request has no origin or referer header, thus my first request gets be blocked.
Question: How should these cases be handled? Or have I missunderstood something?
Note: I use CSRF-token-protection, this question is just about header checking.
I'm not sure if I understand your question correctly, but when you first load your page, there should be no state-changing request. For that reason, the request should be allowed.
Your filter should first check if the request is state-changing (put, delete, etc), and then check for appropriate headers if it is.