add allowed_origin to config

-raise 403 error if a request doesn't have a matching origin

lbry/conf.py

@@ -625,6 +625,7 @@ class Config(CLIConfig):
         previous_names=['upload_log', 'upload_log', 'share_debug_info']
     )
     track_bandwidth = Toggle("Track bandwidth usage", True)
+    allowed_origin = String("Allowed origin header for api calls, use * to allow all", 'null')
 
     # media server
     streaming_server = String('Host name and port to serve streaming media over range requests',

lbry/extras/daemon/daemon.py

@@ -566,6 +566,11 @@ class Daemon(metaclass=JSONRPCServerType):
         log.info("finished shutting down")
 
     async def handle_old_jsonrpc(self, request):
+        origin = request.headers.get('Origin', 'null')
+        origin = None if origin == 'null' else origin
+        if origin != self.conf.allowed_origin != '*':
+            log.warning("API request from origin '%s' is not allowed", origin)
+            raise web.HTTPForbidden()
         data = await request.json()
         params = data.get('params', {})
         include_protobuf = params.pop('include_protobuf', False) if isinstance(params, dict) else False