I read about referrer header that some sites use to allow only requests made by the pages of the site. So if I make a page hacker.com, and let this page make a request to https://twitter.com/i/flow/add_phone , twitter will refuse this request as the referrer is not it's pages.
How then I can access twitter.com for example from google search? Is twitter.com allowed from any site, but twitter.com/i/flow/add_phone is not?
Now the question is how then I can access twitter.com for example from google search
Twitter is conveniently ignoring the referer header because you are landing on a unauthenticated page twitter.com. Cross-origin request can lead to CSRF when the session is created and request is leading to a state change. https://twitter.com/i/flow/add_phone from here, the state of the parameter will change with post request submitting your password first, followed by entering your phone number. When the google is redirecting to twitter, the referer header is sent but twitter does not check it for protection, since no csrf risk is considered in that case.
Kindly note, referer header shall not be used as only method of preventing cross site request forgery because it can be bypassed based on how it is validated.
Those pages which end up in Google results are not protected via a check on the Referer (sic) header. The referrer checks are (mostly) done when changing data or accessing sensitive data. Those kind of pages don't end up in Google search results, as they are often POST requests or only visible after logging in, which the Google crawler does not do.
