Add optional whitelisting of referrer IPs #59
Description
The current API allows anyone to use it.
This is fine for demonstration purposes, but to provide a higher level of availability for a given service, it should be possible to only allow API access via a specific hosting of the Javascript component.
As far as I can see, the only way to do this without requiring accounts/API keys is with the HTTP referer header. This can be spoofed, I guess, but it avoids people accidentally accessing something we don't want them to access (i.e. having a closed door is a deterrent to people entering, even if it's not locked).