Comment 1 for bug 550973

I talked with Marc and remembered what the hwdb app actually is--that is, a completely separate application that basically happens to co-habitate with the Launchpad codebase and database, but is not exposed through the Launchpad browser interface or launchpadlib.

In that light, whether a REFERER header is required is more of a question for the specs, if they exist, of what the hwdb API is. It's probably a reasonable assertion that a REFERER header doesn't belong in them.

My new, new, new recommendation is that we make sure that the specs for the hwdb are clearly stated and well-tested in Launchpad, whatever they are. They probably are already tested, Launchpad generally being pretty well tested; perhaps Zope bug 98437 (which we work around in the new tests) caused the test to appear falsely sufficient in this regard.

If the hwdb specs indicate that the REFERER header should not be required, then we should also add that comment to the pertinent code (lib/canonical/launchpad/webapp/publication.py LaunchpadBrowserPublication.maybeBlockOffsiteFormPost).