Class UriComponentsBuilder has separate fields for port and scheme. Method UriComponentsBuilder.adaptFromForwardedHeaders checks for "X-Forwarded-*" headers and modifies those fields. However when X-Forwarded-Proto is present then ONLY field "scheme" is updated, not field "port". The result is that a request which has been forwarded by the Google IAP proxy, and thus has X-Forwarded-Proto but not X-Forwarded-Port, has the original "https" scheme but port 80.
Method WebUtils.isSameOrigin calls getPort() which returns port 80 for the incoming request, but deduces port 443 from the "origin" http header, and thus rejects the incoming request.
I think a good argument could be made for method adaptFromForwardedHeaders to set field port (in same way as WebUtils.getPort) when X-Forwarded-Proto is present.
At the very least, please add some suitable logging to indicate this problem - it has sucked up 2 days of my time tracking this down. In particular, this only occurs behind a proxy - local testing shows no problem.