Comment 51 for bug 560246

Until someone contributes a patch to do CSRF differently. LP is entirely standards compliant in the current implementation - http://tools.ietf.org/html/rfc7231#section-5.5.2 - using referrer within a site to prevent user agents being tricked into harmful actions cross-site is perfectly legitimate.