use Referer instead of Origin when using IE

* IE10 (and 11) do not send HTTP_ORIGIN when requesting a URL no in
    the same origin, although recommended by WHATWG [1]
  * if IE10 is used, use the referer. If this header is supressed by the
    user, it won't work (and I don't care).

IE10 needs to die, seriously:

> We have a long-standing interoperability difference with other browsers
> where we treat different ports as same-origin whereas other browsers
> treat them as cross-origin.

via https://connect.microsoft.com/IE/feedback/details/781303/origin-header-is-not-added-to-cors-requests-to-same-domain-but-different-port

[1] http://tools.ietf.org/html/draft-abarth-origin-09

isso/views/comments.py

@@ -12,6 +12,7 @@ from werkzeug.http import dump_cookie
 from werkzeug.routing import Rule
 from werkzeug.wrappers import Response
 from werkzeug.exceptions import BadRequest, Forbidden, NotFound
+from werkzeug.useragents import UserAgent
 
 from isso.compat import text_type as str
 
@@ -44,7 +45,10 @@ def csrf(view):
 
     def dec(self, environ, request, *args, **kwargs):
 
-        origin = request.headers.get("Origin", "")
+        if UserAgent(environ).browser == "msie":  # yup
+            origin = request.headers.get("Referer", "")
+        else:
+            origin = request.headers.get("Origin", "")
         if parse.host(origin) not in map(parse.host, self.conf.getiter("host")):
             raise Forbidden("CSRF")