Comment 7 for bug 529348

The oauth_* form field whitelisting was added to let launchpadlib tests pass (launchpadlib/docs/browser.txt, in particular). All of the launchpadlib tests pass if I remove the oauth_* whitelisting, whitelist /+request-token and /+access-token, and teach launchpadlib's test browser to send a Referer when it's forging +authorize-token requests. Since those two views are safe, it would appear to close all except the /api hole.

So something like this:

+ if (IWebServiceClientRequest.providedBy(request) or
+ not IBrowserRequest.providedBy(request) or
+ request['PATH_INFO'] in ('/+storeblob', '/+request-token',
+ '/+access-token')):

Plus adding "'Referer': self.web_root" to the headers dict in both methods of launchpadlib.credentials.SimulatedLaunchpadBrowser.

Then we just need to work out how to distinguish OAuth-authenticated webservice requests from cookie-authenticated ones.