See https://incompleteness.me/blog/2007/08/07/fixing-browser-security-samerefereronly/