I am successfully sending a XMLHttpRequest by using:

var createCORSRequest = function(method, url) {
  var xhr = new XMLHttpRequest();
  if ("withCredentials" in xhr) {
    // Most browsers.
    xhr.open(method, url, true);
  } else if (typeof XDomainRequest != "undefined") {
    // IE8 & IE9
    xhr = new XDomainRequest();
    xhr.open(method, url);
  } else {
    // CORS not supported.
    xhr = null;
  }
  return xhr;
};

var url = 'http://www.whatismyip.com';
var method = 'GET';
var xhr = createCORSRequest(method, url);

xhr.onload = function() {
  // Success code goes here.
};

xhr.onerror = function() {
  // Error code goes here.
};


xhr.setRequestHeader('referer', 'http://www.google.com');
xhr.send();

However, I could not able to define my referer. What is the correct way to add the custom referer?

You cannot. The XMLHttpRequest specification forbids the altering of the referer header (this stops sites lying in it to bypass security checks which some sites use the referer for).

Terminate these steps if header is a case-insensitive match for one of the following headers:

• …
• Referer
• …

You can try something like this:

xhr.setRequestHeader('X-Referer', window.location.href);

And then read this custom X-Referer header.

Answer found on https://www.trustedsec.com/blog/setting-the-referer-header-using-javascript/

You can set it using window.history.replaceState(null, '', 'https://yourwebsite.com/forged/referer')

As far as I know it only works with the same domain, but you can forge the path this way.

See https://developer.mozilla.org/en-US/docs/Web/API/History/replaceState