Which of the statements on web applications security are correct

The web browser will send to a corresponding server all cookies it has matching a domain after a link is clicked.

Stored XSS attacks are served to every user who visits the affected part of the web page.

Using referer header validation is a reliable method for preventing CSRF attacks.

Links and images are considered as exceptions of the single origin policy $($SOP$)$ in web applications security.