01/24/2017 (Tue) 00:00:33
As to why the referrer is required:
It is only required when you are not using js and you are authenticating your request, as logged in.
The issue is that if someone puts a form to any other site, your browser will still perform whatever the form does using the cookies the destination site set on your browser.
But if I require these requests to come from the same site that is being requested, this is nullified.
tl,dr; its a CSRF protection that is used minimally.