diff --git a/app/controllers/api/v1/protected_controller.rb b/app/controllers/api/v1/protected_controller.rb
index 4e49f3a8..5a14bb28 100644
--- a/app/controllers/api/v1/protected_controller.rb
+++ b/app/controllers/api/v1/protected_controller.rb
@@ -85,7 +85,9 @@ module Api
       # XXX: Este header se puede falsificar de todas formas pero al
       # menos es una trampa.
       def site_is_origin?
-        return if origin? && site.urls(slash: false).any? { |u| origin.to_s.start_with? u }
+        return if site.urls(slash: false).any? do |u|
+          (origin || origin_from_referer).to_s.start_with? u
+        end
 
         @reason = 'site_is_not_origin'
         render plain: Rails.env.production? ? nil : @reason, status: :precondition_required