As explained there, webkit based browsers add the referrer when using the native XMLHttpRequest object. But as shown here: http://www.mercurytide.co.uk/whitepapers/issues-working-with-ajax/ Firefox behaves differently.
So the problem is that Sinon isn't inconsistent in browsers like the native object is?
Exactly. I think in case of Firefox the header error should be ignored because it is allowed to be written.
Is it enough to simply remove the Referer header from the unsafe header list, or will that cause problems in other browsers? I.e., are there other browsers that actually enforce Referer as an unsafe header?
From the Qooxdoo source (https://github.com/qooxdoo/qooxdoo/blob/3e8376d21ef7b6e78163c095e6cc67c4895b2305/framework/source/class/qx/io/remote/transport/XmlHttp.js#L324) the "if" statement and comment below implies that Webkit-based browsers show a "Refused to set unsafe header Referer" message. Therefore, I do not think removing it is correct.
But then what I'm left with is a engine sniff? :/
Unfortunately it seems so. Maybe we could use: https://github.com/qooxdoo/qooxdoo/blob/83f01b0c525e5cd3f752aeb50fca401a82c79fe6/framework/source/class/qx/bom/client/Engine.js
The Qooxdoo ticket has been closed, as it's gone stale. I am closing this.