the online demo shows how to abuse http cache to bypass a referer check
or in another word , it could cause a referer spoofing vuln. (but not only this)

http://115.159.205.137/token.php checks if referer=="http://www.infelphira.cn/static/admin.html" 

but when http://176.122.169.50/static/guest.html send the request to token.php , it should get "get out you are just guest" rather than "token from admin"

Deleted: token.php 268 bytes

token.php 268 bytes View Download

Here's what I think you're saying here:

1> If there's a resource for which the server makes an Access Control decision based on the HTTP Referer header, AND
2> That resource is cacheable, AND
3> The server fails to properly include a Vary: Referer response header on that response, THEN

Then the browser will freely use that resource for subsequent requests, despite the fact that the server would have returned a different resource had the resource not been in the cache.

Is that correct?

If so, this is absolutely working-as-expected. Servers who vary responses based on request headers must indicate that they've done so using the Vary response header.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot