How does sending referrer HTTP headers protect against CSRF attacks?
I tried logging into an HTTPS site with Firefox's network.http.sendRefererHeader set to 0 (i.e., completely disabled, as a measure against tracking), and it said:
Forbidden (403)
CSRF verification failed. Request aborted.
You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties.
If you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests.
How would this prevent CRSF attacks? Couldn't the attacker just spoof the referrer header, making it look like one I would've sent?