Relating to the blank referer check for GET requests which show this error: The request was made without a referer header and will not be immediately followed. If you wish to follow this URL anyway, click the link to continue with the missing header Although is protects you from remote pages that might not pass a referer, it was fairly annoying if you were just pasting a URL into the browser, or if you were using a bookmark to try and load a page after you were already logged into your session. This change is simple in that, if: 1) It's a GET request 2) there is no referer 3) You're logged in with a session 4) a redirect has not already happened DA will then show you the same error page as before, but a very simple: window.location.href = url will be set, with the &redirect=yes added in, so-as to prevent loops. The redirect will add the missing referer, and you'll see the page you're expecting to see, without needing to click anything. (Confirmed on Chrome anyway). As XSS/ajax attacks are getting the page content, and not running them from the correct URL bar in your browser, if they try to run that redirect on the remote page, the referer passed would then be that of the remote page, and would reject the request, immediately logging you out.