See: https://docs.djangoproject.com/en/dev/ref/contrib/csrf/#how-it-works, at point 4
|Reported by:||Klaas van Schelven||Owned by:||nobody|
|Has patch:||no||Needs documentation:||no|
|Needs tests:||no||Patch needs improvement:||no|
Django does strict referer checking in the CSRF mechanism. See:
Security aware people may, however, turn referer headers off. This leads to 403 errors for them.
The "feature" is not strictly necessary, at the moment of switching to HTTPS one could erase any HTTP cookies.