Disallow cross-origin requests on chat bridge's webhook #8
Description
Currently @yogdaan-bot responds to post requests at https://yogdaanbot.herokuapp.com/hubot/gitter/Lobby
This is fine, but prone to spam. We could instead restrict the access to same-origin requests only since yogi.coffee triggers the webhook from a local url.
curl 'https://yogdaanbot.herokuapp.com/hubot/gitter/Lobby?room='yogdaan/lobby'' -H 'Origin: chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop' -H 'Accept-Encoding: gzip, deflate, br' -H 'Accept-Language: en-US,en;q=0.9' -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36' -H 'Content-Type: application/json' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'DNT: 1' -H 'Postman-Token: 1d0059c3-e006-e36b-6fd1-2176b3f0bf24' --data-binary $'{\n\x09"message" :{\n\x09\x09"from": {\n\x09\x09\x09"username":"yogi-bae",\n\x09\x09\x09"first_name":"I shouldn\'t be doing this"\n\x09\x09},\n\x09\x09"text":"Last one, I need to get this cURL"\n\x09}\n}' --compressed