It appears that Launchpad blocks access if your browser does not send a Referer header. See:
The FAQ claims that this is done to prevent CSRF. This sounds like a dubious decision, for three reasons:
1) Requiring a Referer header is bad for privacy. The Referer header can be used to track people's actions on the web and thus is a potential privacy risk which I prefer to avoid. It is none of site A's business what site B I was browsing previously. It's not just me; you are blocking a non-trivial user population. Some client-side privacy tools block the Referer, for good and valid privacy reasons. Some privacy-sensitive users configure their browsers to avoid sending Referer headers. See, e.g.,
Some proxies and firewalls strip the Referer from all HTTP requests, as a security risk and a privacy risk. By blocking those users, you are either harming user privacy or losing out on useful participation from people who care about privacy.
2) The RFC (RFC 2068) specifically envisions that users should be able to disable sending Referer headers, and recommends that web browsers provide a way so that users can enable/disable this, because of its privacy implications. Your Referer check means that your site will not be accessible from RFC 2068-compatible browsers.
3) Requiring a Referer header does not prevent CSRF. The Referer header is not reliable for security purposes; there are a number of techniques that can be used to forge Referer headers. If the Referer check is the only defense against CSRF, then Launchpad is probably vulnerable to CSRF. If Launchpad is using a proper defense against CSRF (e.g., double-cookie submission, CSRF tokens), then it is secure without the Referer check and blocking people who don't send a Referer header is gratuitous. I'm not sure why it would be necessary to force users to lower their privacy settings if they want to use Launchpad.
Can this decision be revisited, please?