Add note for posterity.

panda/api/utils.py

@@ -132,6 +132,8 @@ def try_sessions(self, request, **kwargs):
             if not same_origin(referer, good_referer):
                 return False
 
+        # Tastypie docstring says accessing POST here isn't safe, but so far it's not causing any problems...
+        # This is necessary for downloads that post the csrf token from an iframe
         request_csrf_token = request.META.get('HTTP_X_CSRFTOKEN', '') or request.POST.get('csrfmiddlewaretoken', '')
 
         if not constant_time_compare(request_csrf_token, csrf_token):