A protection against XSS is good. But after we're logged in there, verified human, there is no need to keep that referer checking. May it used for XSS after logging in?! Of course! But it will be from my user - just block the user who does it. In practive, referer demanding makes no difference, exce...