Creates a new instance from the specified configuration, which defines
the behaviour of the referrer based CSRF protection as follows:
If config is null or empty string the default
behaviour is to allow only requests with an empty referrer header or a
referrer host equal to the server host
A comma separated list of additional allowed referrer hosts which are
valid in addition to default behaviour (see above).
The value DISABLED may be used to disable the referrer checking altogether