Comment 49 for bug 560246

After speaking with wgrant on IRC (thanks!), there's a simple solution:
Chrome sends the "Origin:" HTTP header with all same-origin HTTP POST requests.
This isn't any privacy issue. It's also in line with the specs.
Launchpad would be able to check the Origin header. If it's there and matches, Launchpad wouldn't need to check the referer. This would solve the issue at least for Chrome - and Firefox, if we can make Firefox do the same. https://bugzilla.mozilla.org/show_bug.cgi?id=446344