That's incorrect in this context, which is trying to get a victim to use their own browser to submit a request that uses cookies on said browser for authentication (CSRF). Please take a look at the following link:
"Although it is trivial to spoof the referer header on your own browser, it is impossible to do so in a CSRF attack."
