From 7085b1e3c33b6bde50e156127be3b294e3cbc359 Mon Sep 17 00:00:00 2001
From: Jack <jack@lbry.io>
Date: Fri, 16 Sep 2016 03:40:06 -0400
Subject: [PATCH] block api requests by referer

---
 lbrynet/lbrynet_daemon/LBRYDaemon.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lbrynet/lbrynet_daemon/LBRYDaemon.py b/lbrynet/lbrynet_daemon/LBRYDaemon.py
index e23a9aa85..a3cf04446 100644
--- a/lbrynet/lbrynet_daemon/LBRYDaemon.py
+++ b/lbrynet/lbrynet_daemon/LBRYDaemon.py
@@ -402,10 +402,16 @@ class LBRYDaemon(jsonrpc.JSONRPC):
 
     def render(self, request):
         origin = request.getHeader("Origin")
+        referer = request.getHeader("Referer")
+
         if origin not in [None, 'http://localhost:5279']:
             log.warning("Attempted api call from %s", origin)
             return server.failure
 
+        if referer not in [None, 'http://localhost:5279/']:
+            log.warning("Attempted api call from %s", referer)
+            return server.failure
+
         request.content.seek(0, 0)
         # Unmarshal the JSON-RPC data.
         content = request.content.read()