As has been stated before many times HTTP_REFERER is a silly toy that can't be trusted more than anything else that is submitted on a form. Any time you feel the need to trust the HTTP_REFERER's value you need to change your approch. It should not be used for auth, site flow (unles your output of site flow is considered as untrustworthy as HTTP_REFERER itself) or anything else you need to trust.

-Waswas