diff --git a/zerver/decorator.py b/zerver/decorator.py
index b83065aea0..7e685a5287 100644
--- a/zerver/decorator.py
+++ b/zerver/decorator.py
@@ -213,8 +213,9 @@ def validate_account_and_subdomain(request, user_profile):
     if user_profile.realm.deactivated:
         raise JsonableError(_("Realm for account has been deactivated"))
 
+    # Either the subdomain matches, or we're accessing Tornado from
+    # and to localhost (aka spoofing a request as the user).
     if (not check_subdomain(get_subdomain(request), user_profile.realm.subdomain) and
-        # Allow access to localhost for Tornado
         not (settings.RUNNING_INSIDE_TORNADO and
              request.META["SERVER_NAME"] == "127.0.0.1" and
              request.META["REMOTE_ADDR"] == "127.0.0.1")):