WordPress still relies on HTTP_REFERER for redirects which can be invalid
|Reported by:||_ck_||Owned by:|
Apparently this has not been fixed in over six years either.
The HTTP_REFERER header is not a valid method of redirecting users. It can be forged, blocked, removed or replaced by proxies, firewalls, etc.
This can cause unexpected behavior in user and admin interfaces.
The most common situation is that the header has been removed by personal firewalls to protect privacy. So I suggest developers use a browser plugin to temporarily block the referer and see what behaviors happen.
One consistent example is to try re-checking for spam on comments in the WP admin with akismet but there are other obvious pitfalls in the WP codebase when you search for HTTP_REFERER