Comment 9 for bug 529348

I added tests to xx-offsite-form-post that duplicated William's suggested crafted CSRF requests, and then I changed Launchpad to reject those requests. I've pushed the reusulting branch and associated it with this bug.

I still have to change launchpadlib to send requests in the appropriate scenario (SimulatedLaunchpadBrowser is already totally broken, but it's easier to fix it to make these tests pass than to remove it altogether ATM.) AND, I believe I know about another exploitation vector that hasn't been considered yet: anonymous web service access.

In my branch, if you just put random OAuth credentials in your entity-body, you will be subject to the normal referer check. BUT, if your OAuth credentials happen to be a valid signature of the empty token, you are assumed to be making an anonymous web service request and you go through the "OAuth-authenticated webservice request" loophole. The problem is you don't have to have any special knowledge to make an anonymous web service request.

I haven't verified this for sure yet, and I'm not sure how to plug that loophole.