Part of lp.services.webapp
|Function||maybe_block_offsite_form_post||Check if an attempt was made to post a form from a remote site.|
|Class||ProfilingOops||Fake exception used to log OOPS information when profiling pages.|
|Class||LoginRoot||Object that provides IPublishTraverse to return only itself.|
|Class||LaunchpadBrowserPublication||Subclass of z.a.publication.BrowserPublication that removes ZODB.|
|Function||is_browser||Return True if we believe the request was from a browser.|
|Function||tracelog||Emit a message to the ITraceLog, or do nothing if there is none.|
Check if an attempt was made to post a form from a remote site. This is a cross-site request forgery (XSRF/CSRF) countermeasure. The OffsiteFormPostError exception is raised if the following holds true: 1. the request method is POST *AND* 2. a. the HTTP referer header is empty *OR* b. the host portion of the referrer is not a registered vhost
There will be false positives and false negatives, as we can only tell this from the User-Agent: header and this cannot be trusted.
Almost all web browsers provide a User-Agent: header starting with 'Mozilla'. This is good enough for our uses. We also add a few other common matches as well for good measure. We could massage one of the user-agent databases that are available into a usable, but we would gain little.