Merge pull request #167 from lbryio/block-api-requests-by-referer

block api requests by referer

lbrynet/lbrynet_daemon/LBRYDaemon.py

@@ -402,10 +402,16 @@ class LBRYDaemon(jsonrpc.JSONRPC):
 
     def render(self, request):
         origin = request.getHeader("Origin")
+        referer = request.getHeader("Referer")
+
         if origin not in [None, 'http://localhost:5279']:
             log.warning("Attempted api call from %s", origin)
             return server.failure
 
+        if referer not in [None, 'http://localhost:5279/']:
+            log.warning("Attempted api call from %s", referer)
+            return server.failure
+
         request.content.seek(0, 0)
         # Unmarshal the JSON-RPC data.
         content = request.content.read()