#1 suggestion - remove requirement for HTTP_REFERRER
That will make it available to people behind firewalls.
While the HTTP_REFERRER information is in the W3C standard, it is not mandatory and is often used by uncsrupulous web-spam collectors to get targets for random address emails.
For that reason it's becoming more common to filter it out of the http header, something I'm very happy with if it cuts down the number of "see my Xxx pictures" emails that come to my office account.
Unfortunately because of that requirement, no-one in our company can access the wishlist.