The IP isn't spoofed, but the X-FORWARDED-FOR header can be spoofed with a fake IP.
I have a not-so-good solution for whitelisting proxy servers, suggested by someone at google who doesn't understand the security issues. I have not released it because it is easy enough to take the spoof a little farther - raising the spoof to the next level. I had still hoping that Google has a way of proving that a particular IP is owned by google. They won't publish a whitelist for me.
I might release a chrome compression proxy fix plugin, but not until I am a little more confident in it.
Keith