Comment 3 for bug 678401

All known Referer spoofing vulnerabilities are long-fixed, and there are far worse old browser holes that could be exploited.

However, it's still fragile since lots of people block the header. CSRF tokens should be added.