After speaking with wgrant on IRC (thanks!), there's a simple solution:
Chrome sends the "Origin:" HTTP header with all same-origin HTTP POST requests.
This isn't any privacy issue. It's also in line with the specs.
Launchpad would be able to check the Origin header. If it's there and matches, Launchpad wouldn't need to check the referer. This would solve the issue at least for Chrome - and Firefox, if we can make Firefox do the same. https://bugzilla.mozilla.org/show_bug.cgi?id=446344
After speaking with wgrant on IRC (thanks!), there's a simple solution: /bugzilla. mozilla. org/show_ bug.cgi? id=446344
Chrome sends the "Origin:" HTTP header with all same-origin HTTP POST requests.
This isn't any privacy issue. It's also in line with the specs.
Launchpad would be able to check the Origin header. If it's there and matches, Launchpad wouldn't need to check the referer. This would solve the issue at least for Chrome - and Firefox, if we can make Firefox do the same. https:/