This actually has some pretty scary applications. Now you can no longer trust that the referrer is even real at all. Previously you could at least tell if it wasn’t real (IE: it was there, but incorrect). That was one way people got around cross site request forgeries (CSRF). But now, the CSRF can be done with the correct HTTP referrer, and indeed all the correct information that you would expect (including cookies or otherwise). Up to this point, I’ve felt that referrers had limited use anyway, because they are absent too frequently (in the case of security applications like ZoneAlarm etc… that remove it) and you could intentionally remove the referrer.
Now, it’s just plain wrong. That could mean serious troubles for any application that relied on that information exclusively. Now this has other applications for XSS fuzzing, etc… where you can fuzz all of the information (including browser types, etc…) that are normally not available to the attacker in question. Amit uses the example of the expect HTTP variable, but anything is a potential target, including POST variables, Host variables, etc. The sky is the limit. I’ll be interested to hear if Macromedia comes out with a patch for this, as this has some serious implications for web application security.