Section
3.3.3
Top Level
General
User controlled information, such as the referrer header, or any information contained in the Request that is modifiable by a user should never be used as part of an access control decision.