Kuza55 has a really interesting article on his blog around a conversation that Trev got going around how you can modify the domain and steal cookies if you can run an XSS on the site. However, Kuza55 shows that using an iframe that uses a meta refresh (to sanitize the referring URL) you can make the attack completely untraceable back to the origin server/logging server where the attack originated. Very cool.
Now the real question is this, why is there any circumstance that a page will not send a referring URL? Can someone explain how there is any advantage to browser security to disallow that? Sure there are places where you want to clear your referrer due to privacy issues, but from an attacker’s perspective this is one of the few ways to hide what you are doing to a victim. It doesn’t seem like the positive outweighs the negatives in terms of security to remove referring URLs. I’m definitely open to hearing people’s thoughts on this though, as I’m sure there are other reasons people can think up of why it still might have some use.