Comment 42 for bug 560246

You provided a link to a django plugin. Launchpad is a Zope site.

In terms of a high level spec - prevent CSRF, don't break existing scripts. If you are planning on working on this, I'd be delighted to drill into what any of that means. I don't have a particular implementation in mind (but perhaps someone that is still working on Launchpad does and could advise you).

I think you meant to link to http://www.apps.ietf.org/rfc/rfc2616.html#sec-14.36 not to the Range header definition.

That said, it is *optional* whether to send it, and your browser is choosing not to send it. That doesn't make a server that chooses to reject POST requests without in be in violation of the specification, because RFC2616 says nothing about interpretation of referer only about the syntax, privacy implications and user agent considerations.