https://docs.djangoproject.com/en/1.7/ref/contrib/csrf/

In addition, for HTTPS requests, strict referer checking is done by CsrfViewMiddleware. This is necessary to address a Man-In-The-Middle attack that is possible under HTTPS when using a session independent nonce, due to the fact that HTTP ‘Set-Cookie’ headers are (unfortunately) accepted by clients that are talking to a site under HTTPS. (Referer checking is not done for HTTP requests because the presence of the Referer header is not reliable enough under HTTP.)

我试着翻译了一下：
另外，对于https请求，CsrfViewMiddleware执行了严格的referer检查。在https下session无关的场合，强调可能发生中间人攻击是有必要的，因为在https下和网站通信，HTTP的‘Set-Cookie’头（不幸）被客户端接收。（对于http请求不需要做referer 检测，因为呈现的Referer头不是足够可信的）

但不太理解是什么意思?