On Wed, Jan 15, 2014 at 10:28 AM, Peter Wu <lekensteyn at gmail.com> wrote: > While the referrer part may not be that easily spoofable Note that as of b826537 we no longer rely on the referer and instead use a hidden html form with a secured value. This also doubles as CSRF protection.