http://qs1969.pair.com?node_id=607336


in reply to Re^2: Is your web application really secure? ("CSRF")
in thread Is your web application really secure? ("CSRF")

Yes, but I was talking about malicious sites faking referers without the user's explicit permission. If a user wants to forge a referer header there's no way to stop it. Note that we're trying to protect the user, not the web app per se.