Be wary of cross-origin, same-site attacks.Validation of Referer can be circumvented.Validation of Referer depends on header being present.Bypassing Lax restrictions with newly issued cookies.Bypassing restrictions via vulnerable sibling domains.Bypassing restrictions using on-site gadgets.Bypassing Lax restrictions using GET requests.Validation depends on token being present.
