Comment 46 for bug 560246

I think it is worth mentioning that django enforces 'strict' referrer checking for secure (https) requests. Why is this important ? - because if a cookie backed implementation[0] is used then subdomain or other cookie 'tossing'[1] is made harder if not impossible.

[0] a random token stored in a cookie
[1] https://github.com/blog/1466-yummy-cookies-across-domains