mapbox-gl-geocoder icon indicating copy to clipboard operation
mapbox-gl-geocoder copied to clipboard

Published 20 hours ago verified publisher icon mapbox

Supply referrer in API requests

Open peterqliu opened this issue 6 years ago • 3 comments

domain-restricted API tokens need a referrer URL to work properly. Safari 12.1.0 currently throws a 403: Forbidden without one.

peterqliu avatar May 07 '19 21:05 peterqliu

Somehow, Chrome sends the referer anyway, enabling it to work normally

peterqliu avatar May 08 '19 19:05 peterqliu

I ran into this issue as well. When trying to run the geocoder example in Safari, I end up receiving a 403 error.

ZiZasaurus avatar Mar 17 '20 19:03 ZiZasaurus

According to https://developer.apple.com/library/archive/documentation/AppleApplications/Conceptual/SafariJSProgTopics/XHR.html Safari won't send the Referer header with an XMLHttpRequest for cross-site requests, however it will send the Origin header which at least contains the domain name.

Although access tokens can be restricted based on the full URL, as far as I can tell there is nothing we can do about this in mapbox-gl-geocoder.

It could be that the Mapbox API should treat requests from Safari differently and check for the origin where a referer is not provided.

If anyone wants to see this fixed, I suggest the best course of action is to try and confirm if this is fixable in mapbox-gl-geocoder or not, and if not we can push back to Mapbox to see if a server side fix could be implemented.

andrewharvey avatar Mar 18 '20 02:03 andrewharvey