Can the HTTP referrer be remotely spoofed?

The HTTP referrer can of course be changed locally in my own browser, because it is user input. But how about other users' browsers? Can I somehow blank out the browser's referrer? And can I change it to whatever I want?

Haven't worked on security for some time.

Can you clarify your question a little bit? I'm not sure if I'm understanding right, but it sounds like you are wondering if it is possible for a website to change the visitors referrer when it heads to another page?

Yes. This would use be useful in CSRF if they do referrer checking.

Ah, okay. It is possible to blank their referrer, and you can do this by making your site SSL (https), and then the browser will automatically not send the referrer when it makes a request from a SSL site to an unencrypted connection. I don't believe there is any way to actually change their referrer to a specific value, however.

Sorry, but from what I can see, it's not possible to do what you're trying to do for CSRF. Blanking could possibly work, in case the developers allowed blank referrers for comparability with users who disable referrer sending, but I have my doubts.

Hope this helps.

EDIT: By the way, this is in theory that you can't do this. There are certain browser vulnerabilities that will allow you to do this, of course, but any that I know of have been patched.