How to Make Someone Fetch a URL with a Blank Referer Header

a.k.a. Why Not to Trust Referer Headers for Security Purposes
a.k.a. Hacking Twitter

    Things that work:
  1. Embed an iframe that sends a 'Refresh' header, or contains a <meta http-equiv="refresh" content="0;url="/> element, both of which will redirect to the new URL without a referer header.
  2. Embed an iframe that's served over HTTPS, with a 'Location' header that points to the new URL (referer headers aren't sent from HTTPS locations, for privacy).
  3. Embed an iframe that's served over HTTPS, and within that embed an img element with its src attribute set to the new URL.
    Things that don't work:
  1. Using the 'Refresh' header tactic to redirect the src attribute of an img element to the new URL.
  2. Some of the above in Opera, which I believe carries referer headers through 'Refresh' headers and meta tags.
  3. Any of the above that use HTTPS, in Firefox 3, if the certificate is self-signed (unless the user's already added an exception for that certificate, which is unlikely).