Currently we have: $CFG->secureforms
Use additional form security secureforms
Moodle can use an additional level of security when accepting data from web forms. If this is enabled, then the browser's HTTP_REFERER variable is checked against the current form address. In a very few cases this can cause problems if the user is using a firewall (eg Zonealarm) configured to strip HTTP_REFERER from their web traffic. Symptoms are getting 'stuck' on a form. If your users are having problems with the login page (for example) you might want to disable this setting, although it might leave your site more open to brute-force password attacks. If in doubt, leave this set to 'Yes'.
Judging from bug reports this feature is not active on many servers (because the bugs in related code would be reported much sooner New forms lib is always using proper POST request combined with sesskey - we should either add it to forms lib or remove it completely.
We have discussed it today at HQ and decided to remove it from 1.8...