Comment 3 for bug 550973

Revision history for this message
Gary Poster (gary) wrote :

My suggestion in comment #1 was not clear. As of this writing, the following is the pertinent comment in lib/canonical/launchpad/webapp/ LaunchpadBrowserPublication.maybeBlockOffsiteFormPost:

            # We only want to check for the referrer header if we are
            # in the middle of a request initiated by a web browser. A
            # request to the web service (which is necessarily
            # OAuth-signed) or a request that does not implement
            # IBrowserRequest (such as an XML-RPC request) can do
            # without a Referer.
            # XXX gary 2010-03-09 bug=535122,538097
            # The one-off exceptions are necessary because existing
            # non-browser applications make requests to these URLs
            # without providing a Referer. Apport makes POST requests
            # to +storeblob without providing a Referer (bug 538097),
            # and launchpadlib used to make POST requests to
            # +request-token and +access-token without providing a
            # Referer.
            # We'll have to keep an application's one-off exception
            # until the application has been changed to send a
            # Referer, and until we have no legacy versions of that
            # application to support. For instance, we can't get rid
            # of the apport exception until after Lucid's end-of-life
            # date. We should be able to get rid of the launchpadlib
            # exception after Karmic's end-of-life date.

That comment should be expanded to explain why /+hwdb/+submit is an exception, in the same way that it explains +storeblob, +request-token, and +access-token. If the exception is temporary, I'd like it to be associated with an XXX and a bug. Contrariwise, if the exception is permanent, I'd like to have a mention of this in the comment.