When you have an S3 bucket configured as a static web site, S3 allows you to restrict access to the objects in the bucket only when the requests came from a particular referrer, using a condition in the bucket policy. For instance, in cases where you want visitors to get to some images only via links on your own web site.
Well, the problem is, the "referrer" comes in the HTTP request header, so a client can fake any referrer and easily bypass this condition. For example, with curl, it's as easy as
I wish AWS would at least put up a warning next to the sample policy (linked to above), because it really just adds some false sense of security.