Comment 4 for bug 1440958

++ On not trusting the HTTP headers if there are used in any way for security. Both HTTP_HOST and HTTP_REFERER are easy to fake. Generally speaking all HTTP_* vars are just pulled from the client request and stuffed into the environment. They should be treated like any other user provided data.