This is not my main anti-CSRF mechanism; I know that https requests don't have a referer header; I know users or firewalls can remove it or set to an arbitrary fixed value.
I intend this mechanism just as a possible added security layer preventing CSRF in case my main mechanism is bypassed for some reason.
My code will be something like this:
if(isset($_SERVER['HTTP_REFERER'], $_SERVER['HTTP_HOST']))
if(parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST)!=$_SERVER['HTTP_HOST'])
exit('Anti-CSRF mechanism!');
I think this has no support and usability problems. right?