So obviously a request header can be spoofed via client side, by any Extension/AV/Firewall/Browser settings etc...
My question is:
Can a site owner
Yes, unfortunately, such possibility does exist and a lot of "good.com"-kind of sites struggle to fix such an issue.
Imagine that for some reasons, "good.com" has a redirecting gateway for statistical or other well-reasoned purposes. For example, this allows "good.com" to measure how many times its users go out to different sites.
Now on a "bad.com" user sees an
iframe, or just a button that somehow navigates them to a URL like that:
good.site.example/redirect?to=www.thirdparty.com. And that page on a URL redirects user to
www.thirdparty.com in a way that preserves a Referer.
So basically yes, the
Referer HTTP header is not something to depend on in terms of security.