Forum OpenACS Q&A: Re: RFC: Security policy for OpenACS (Security hole in OpenACS 5.1!)

No I was looking for any javascript exploits of the referer header and to-date there aren't any. It's a very, very nitpicking remark. :)

Most sites describe referer checking as the 90% solution mostly due to the cases where the requests are legimate, but turned down because of the reasons you gave above (link in an email, bogus proxies, etc)