Comment 57 for bug 560246

Firefox's spoofSource is a very dangerous option that should not exist (or at least not for several years, until Origin is widely deployed).

The correct settings are network.http.referer.trimmingPolicy=2, network.http.referer.XOriginPolicy=1, and optionally network.http.sendRefererHeader=1. That configuration sends Referer only for internal links within a site, and doesn't include path information.