AndroidSystemSEPolicy

For some protection against CSRF attacks, check if the Origin header is
the weburl we are listening on before handling POSTs to
moderation/{edit,accept}/<doc>.
If the request does not contain an Origin header (which should never be
the case for POST requests in modern browsers), a warning is printed and
the request handled anyway.

It is probably a good idea to implement some CSRF token mechanism to
authenticate requests as well, I'm not sure how robust this Origin
checking stuff really is.