Loose source checking - why referer bypass occurs

gistfile1.txt

Insecure:

public class LooseSourceCheck {
    public static void showExample(String url){

        try{
            if(url.startsWith("http://trustedsubdomain")){
                System.out.print(String.format("Trusted subdomain: ", url));
            }
            else {
                    throw new IOException("Untrusted subdomain: " + url);
            }
        }
        catch(Exception ex){
        }
    }
}



Secure:



public class StrictSourceCheck {

    public static void showExample(){

        try{
            String[] approved_hosts = {
                    "trust1.yehg.net",
                    "trust2.yehg.net",
     "trust3.yehg.net",
     "trust4.yehg.net"
            };

            String url = "http://trust1.attacker.net/hack.jpg";
            URL netUrl = new URL(url);
            String host = netUrl.getHost();

            Boolean b = Arrays.asList( approved_hosts ).contains(host);
            if(!b){
                System.out.println("Untrusted domain: " + url);
            }else{
                System.out.println("Trusted domain: " + url );

            }
        }
        catch(Exception ex){


        }
    }
}