3eff31a9084b4a8a1587ba2fc43ab4e055e70979
hiram
  Tue Apr 28 14:53:55 2026 -0700
eliminate the HTTP_REFERER check and depend just on the userId cookie for security refs #31811

diff --git src/hg/hubApi/liftOver.c src/hg/hubApi/liftOver.c
index aa800219b03..c39da3f64db 100644
--- src/hg/hubApi/liftOver.c
+++ src/hg/hubApi/liftOver.c
@@ -282,46 +282,36 @@
 /* 'liftOver' function words[1] is the subCommand */
 {
 char *extraArgs = verifyLegalArgs(argLiftRequest);
 if (extraArgs)
     apiErrAbort(err400, err400Msg, "extraneous arguments found for function /liftRequest '%s'", extraArgs);
 
 char *fromGenome = cgiOptionalString(argFromGenome);
 char *toGenome = cgiOptionalString(argToGenome);
 char *email = cgiOptionalString(argEmail);
 char *comment = cgiOptionalString(argComment);
 
 /* probably want a silent exit here */
 if (isEmpty(fromGenome) || isEmpty(toGenome) || isEmpty(email) || isEmpty(comment))
     apiErrAbort(err400, err400Msg, "must have all arguments: %s, %s, %s, %s for endpoint '/liftRequest", argFromGenome, argToGenome, argEmail, argComment);
 
+/* Require a session cookie.  Robots that have not
+ *   passed the challenge will not have one. */
 char *cookieName = hUserCookie();
 char *userId = findCookieData(cookieName);
-char *referer = getenv("HTTP_REFERER");
-char dir[PATH_LEN];
-char name[FILENAME_LEN];
-char ext[FILEEXT_LEN];
-/* expecting request to come from something.ucsc.edu/liftRequest.html */
-if (isNotEmpty(referer) && isNotEmpty(userId))
-    {
-    splitPath(referer, dir, name, ext);
-    if (! (endsWith(dir, ".ucsc.edu/") && sameWord(name, "liftRequest") && sameWord(ext, ".html")))
-          apiErrAbort(err400, err400Msg, "can not find required inputs for endpoint '/liftRequest");
-    } else {
-      if (! debug)
+if (isEmpty(userId))
     apiErrAbort(err400, err400Msg, "can not find required inputs for endpoint '/liftRequest");
-    }
 
 char *toAddr = cfgOption("chainFileRequestEmail");
 char *fromAddr = cfgOption("apiFromEmail");
 
 if (isNotEmpty(toAddr) && isNotEmpty(fromAddr))
     {
     char nowTime[256];
     time_t seconds = clock1();
     struct tm *timeNow = localtime(&seconds);
     strftime(nowTime, sizeof nowTime, "%Y-%m-%d %H:%M:%S", timeNow);
 
     struct dyString *msg = newDyString(0);
     /* may need to encode these inputs to make them safe */
     dyStringPrintf(msg, "%s\nLift over request\nfrom: %s\nto: %s\nemail '%s'\ncomment: '%s'", nowTime, fromGenome, toGenome, email, comment);
     /* Even if the mailViaPipe returned a relevant return code, and I'm not