Tile query without referer in http header with Webkit

359 views
Skip to first unread message

surfish

unread,
Sep 14, 2011, 6:38:29 AM9/14/11
to google-map...@googlegroups.com
Hello,

I use GMap V3 JS API to connect to a WMS server (IGN in France) using ImageType class.
The server requires the referer header for security (and commercial) reasons.

My script works well on Mozilla (and IE 7+) web browsers but on Webkit based browsers (Chrome or Safari), my tiles queries don't include the referer in the Http header. 

Header with Webkit :
Header with Mozilla :
  • GET /geoportail/wmsc?LAYERS=ORTHOIMAGERY.ORTHOPHOTOS&EXCEPTIONS=text/xml&FORMAT=image/jpeg&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap&STYLES=&SRS=IGNF:GEOPORTALFXX&BBOX=0,-8388608,4194304,-4194304&WIDTH=256&HEIGHT=256&TILED=true&gppkey=Rv8MqmkkCLGu-LZ_tBftmWazurQAAAAAAb8H2l2zA4IA23DSAAABMmeEdsoAAAAAAlgAAQEDzIOB9ekozuGHh5PROd1pgMM0AABDNAAAwrQAAEK0AAA HTTP/1.1
  • Host: wxs.ign.fr
  • User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2
  • Accept: image/png,image/*;q=0.8,*/*;q=0.5
  • Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
  • Accept-Encoding: gzip, deflate
  • Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
  • Connection: keep-alive
  • Referer: http://localhost/cadxmap/ign/ign_test.html
  • Cookie: JSESSIONID=586278F61849A5CB3C68A40FAD943FCC.BF129F5BA50FC20EB8

Is there a way to 'force' GMap API to send the referer ?

Thank you for your help.

Ben Appleton

unread,
Sep 14, 2011, 7:31:24 PM9/14/11
to google-map...@googlegroups.com

Browsers don't allow JS to control the referer header. I suggest using an "access token":
1 - When you serve the HTML page, include a private hash of the date.
2 - When your JS forms a tile URL, append the access token.
3 - When your tile server receives a request, verify the access token is recent before returning the tile.
This is more secure than referer checking, as referers can be spoofed to steal your tiles.

Ben

Android brevity

On Sep 15, 2011 5:22 AM, "surfish" <ofor...@gmail.com> wrote:
> Hello,
>
> I use GMap V3 JS API to connect to a WMS server (IGN in France) using
> ImageType class.
> The server requires the referer header for security (and commercial)
> reasons.
>
> My script works well on Mozilla (and IE 7+) web browsers but on Webkit based
> browsers (Chrome or Safari), my tiles queries don't include the referer in
> the Http header.
>
> Header with Webkit :
>
> - *GET
> http://wxs.ign.fr/geoportail/wmsc?LAYERS=ORTHOIMAGERY.ORTHOPHOTOS&EXCEPTIONS=text/xml&FORMAT=image/jpeg&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap&STYLES=&SRS=IGNF:GEOPORTALFXX&BBOX=-12582912,-4194304,-8388608,0&WIDTH=256&HEIGHT=256&TILED=true&gppkey=spwpVJHASUZQqXWkft2hO3xnQ2gAAAAAAb8HZV2zA4IA23DSAAABMmeCvIYAAAAAAlgAAQEDzIOB9ekozuGHh5PROd1pgMM0AABDNAAAwrQAAEK0AAA
> HTTP/1.1*
> - *Host: wxs.ign.fr*
> - *Proxy-Connection: keep-alive*
> - *User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.1 (KHTML,
> like Gecko) Chrome/13.0.782.220 Safari/535.1*
> - *Accept: */**
> - *Accept-Encoding: gzip,deflate,sdch*
> - *Accept-Language: fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4*
> - *Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3*
> - *Cookie: JSESSIONID=D26C4F293472016EB473E3A88CA6B25A.1A1C40D300011D861D
> *
>
> Header with Mozilla :
>
> - GET
> /geoportail/wmsc?LAYERS=ORTHOIMAGERY.ORTHOPHOTOS&EXCEPTIONS=text/xml&FORMAT=image/jpeg&SERVICE=WMS&VERSION=1.1.1&REQUEST=GetMap&STYLES=&SRS=IGNF:GEOPORTALFXX&BBOX=0,-8388608,4194304,-4194304&WIDTH=256&HEIGHT=256&TILED=true&gppkey=Rv8MqmkkCLGu-LZ_tBftmWazurQAAAAAAb8H2l2zA4IA23DSAAABMmeEdsoAAAAAAlgAAQEDzIOB9ekozuGHh5PROd1pgMM0AABDNAAAwrQAAEK0AAA
> HTTP/1.1
> - Host: wxs.ign.fr
> - User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101
> Firefox/6.0.2
> - Accept: image/png,image/*;q=0.8,*/*;q=0.5
> - Accept-Language: fr,fr-fr;q=0.8,en-us;q=0.5,en;q=0.3
> - Accept-Encoding: gzip, deflate
> - Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> - Connection: keep-alive
> - Referer: http://localhost/cadxmap/ign/ign_test.html
> - Cookie: JSESSIONID=586278F61849A5CB3C68A40FAD943FCC.BF129F5BA50FC20EB8

>
>
> Is there a way to 'force' GMap API to send the referer ?
>
>
> Thank you for your help.
>
>
> --
> You received this message because you are subscribed to the Google Groups "Google Maps JavaScript API v3" group.
> To view this discussion on the web visit https://groups.google.com/d/msg/google-maps-js-api-v3/-/rCHdbApir6IJ.
> To post to this group, send email to google-map...@googlegroups.com.
> To unsubscribe from this group, send email to google-maps-js-a...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/google-maps-js-api-v3?hl=en.
>

surfish

unread,
Sep 15, 2011, 12:59:31 PM9/15/11
to google-map...@googlegroups.com
Thank you Ben.

I DO NOT change anything in the header; I know the cross-domain policy constraints.
I noticed that Google Maps/Webkit don't send the referer in header (check my header samples) from time to time !!!

Actually, the IGN server (external server, not mine) uses access token AND referer to check that the query is authorized. That is the reason why I really need Google Maps/Chrom  to send the referer ;-)

Any idea ?

Thank you

Ben Appleton

unread,
Sep 15, 2011, 7:53:24 PM9/15/11
to google-map...@googlegroups.com
Sorry, we can't help you. It sounds like WebKit browsers may not send the referer header for cross-domain requests. Referer is often stripped for privacy by some proxy servers and browsers, so I think you'll have to fix your WMS server.

- Ben

--
You received this message because you are subscribed to the Google Groups "Google Maps JavaScript API v3" group.

surfish

unread,
Sep 16, 2011, 5:47:28 AM9/16/11
to Google Maps JavaScript API v3
You can check an example here : http://www.gisdoctor.com/v3/v3_wms.html
Some Google Maps tile queries send the referer in header, others
don't !
A lot of commercial WMS servers require the Referer to validate the
session token. Google Maps won't able to integrate them if the
probleme is not solved.

Ben Appleton

unread,
Sep 18, 2011, 9:23:43 PM9/18/11
to google-map...@googlegroups.com
I tried your example, but after playing around for a while I couldn't figure out what it's intended to demonstrate. Can you specify steps to reproduce the issue?

Again, v3 does not (and I believe cannot) control the "referer" header in tile requests. So even if we can replicate the issue, it may not be possible to fix.

Thanks
Ben

surfish

unread,
Sep 19, 2011, 3:56:37 PM9/19/11
to google-map...@googlegroups.com
Check in Chrome developper tools the network/image activity (WMSserver). 
Two things I don't understand :
- the JS code/GMap generates two set of identical tile queries (after last GET transparent.png)
- the first set is not send with referer, the second includes referer in http header (after GET rotate.png).

I understand that GMap V3 relies on Webkit behavior... but maybe it can adapt to a strange behavior, as for IE. Anyway, thank you to help me to understand where is the origin of the problem.

Thanks again,

Below, a network activity sample....

In first query set :
  1. Accept:
    */*
  2. Accept-Charset:
    ISO-8859-1,utf-8;q=0.7,*;q=0.3
  1. Accept-Encoding:
    gzip,deflate,sdch
  2. Accept-Language:
    fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
  1. Connection:
    keep-alive
  2. Host:
  3. User-Agent:
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1

In second query set : 

  1. Accept:
    */*
  2. Accept-Charset:
    ISO-8859-1,utf-8;q=0.7,*;q=0.3
  1. Accept-Encoding:
    gzip,deflate,sdch
  2. Accept-Language:
    fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
  1. Connection:
    keep-alive
  2. Host:
  3. Referer:
  4. User-Agent:
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1

Ben Appleton

unread,
Sep 21, 2011, 3:24:42 AM9/21/11
to google-map...@googlegroups.com
The double-fetch is strange. I see that also in our google.maps.ImageMapType example:
http://code.google.com/apis/maps/documentation/javascript/examples/maptype-image.html
This occurs only in Chrome, not in Firefox. We'll look into it.

- Ben

--
You received this message because you are subscribed to the Google Groups "Google Maps JavaScript API v3" group.

surfish

unread,
Sep 28, 2011, 5:32:03 AM9/28/11
to Google Maps JavaScript API v3
Hello Ben,

Do you have news about the double-fetch ?

Thanks,
Olivier

On 21 sep, 09:24, Ben Appleton <apple...@google.com> wrote:
> The double-fetch is strange. I see that also in our
> google.maps.ImageMapTypeexample:http://code.google.com/apis/maps/documentation/javascript/examples/ma...
> This occurs only in Chrome, not in Firefox. We'll look into it.
>
> - Ben
>
>
>
>
>
>
>
> On Tue, Sep 20, 2011 at 5:56 AM, surfish <ofors...@gmail.com> wrote:
> > Check in Chrome developper tools the network/image activity (WMSserver).
> > Two things I don't understand :
> > - the JS code/GMap generates two set of identical tile queries (after last
> > GET transparent.png)
> > - the first set is not send with referer, the second includes referer in
> > http header (after GET rotate.png).
>
> > I understand that GMap V3 relies on Webkit behavior... but maybe it can
> > adapt to a strange behavior, as for IE. Anyway, thank you to help me to
> > understand where is the origin of the problem.
>
> > Thanks again,
>
> > Below, a network activity sample....
>
> > *In first query set :*
>
> >http://sampleserver1.arcgisonline.com/arcgis/services/Specialty/ESRI_...
>
> >    1. Accept:
> >    */*
> >    2. Accept-Charset:
> >    ISO-8859-1,utf-8;q=0.7,*;q=0.3
> >    3. Accept-Encoding:
> >    gzip,deflate,sdch
> >    4. Accept-Language:
> >    fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
> >    5. Connection:
> >    keep-alive
> >    6. Host:
> >    sampleserver1.arcgisonline.com
> >    7. User-Agent:
> >    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/535.1
> >    (KHTML, like Gecko) Chrome/14.0.835.163 Safari/535.1
>
> > *
> > *
> > *In second query set : *
>
> >http://sampleserver1.arcgisonline.com/arcgis/services/Specialty/ESRI_...
>
> >    1. Accept:
> >    */*
> >    2. Accept-Charset:
> >    ISO-8859-1,utf-8;q=0.7,*;q=0.3
> >    3. Accept-Encoding:
> >    gzip,deflate,sdch
> >    4. Accept-Language:
> >    fr-FR,fr;q=0.8,en-US;q=0.6,en;q=0.4
> >    5. Connection:
> >    keep-alive
> >    6. Host:
> >    sampleserver1.arcgisonline.com
> >    7. Referer:
> >    http://www.gisdoctor.com/v3/v3_wms.html
> >    8. User-Agent:

Ben Appleton

unread,
Sep 28, 2011, 7:29:41 AM9/28/11
to google-map...@googlegroups.com
Hi Olivier,

I traced the double-fetch to a regression in Chrome (http://code.google.com/p/chromium/issues/detail?id=97543). I have disabled the code-path which triggered it. Unfortunately this makes continuous zoom slow in Chrome, so I am following this up internally too.

Cheers
Ben

surfish

unread,
Sep 28, 2011, 11:23:57 AM9/28/11
to google-map...@googlegroups.com
Hi Ben,

Thank you. It seems that there is no workaround solution from my side to avoid the double-fetch. I hope that a solution will come soon from GMap team side or Chromium team side.

Regards,
Olivier

Olivier FORSANS

unread,
May 20, 2012, 3:18:02 PM5/20/12
to google-map...@googlegroups.com
Hi Ben (or anyone from GMaps support team),

I posted a new GMaps bug in stackoverflow (as indicated here) but did not have any serious answers.

For overlays with negative longitudes or latitudes, the overlays events don't work (nothing is fired). Strangely, that is not the case with positive longitudes and latitudes overlays.

Regards,
Olivier


2011/9/28 surfish <ofor...@gmail.com>

--
You received this message because you are subscribed to the Google Groups "Google Maps JavaScript API v3" group.

Enoch Lau (Google Employee)

unread,
May 20, 2012, 8:26:46 PM5/20/12
to google-map...@googlegroups.com
If you believe you've encountered a bug, please file it using the issue tracker at http://code.google.com/p/gmaps-api-issues/issues/list instead of stackoverflow.

Enoch


On Monday, 21 May 2012 05:18:02 UTC+10, surfish wrote:
Hi Ben (or anyone from GMaps support team),

I posted a new GMaps bug in stackoverflow (as indicated here) but did not have any serious answers.

For overlays with negative longitudes or latitudes, the overlays events don't work (nothing is fired). Strangely, that is not the case with positive longitudes and latitudes overlays.

Regards,
Olivier


2011/9/28 surfish <ofor...@gmail.com>
Hi Ben,

Thank you. It seems that there is no workaround solution from my side to avoid the double-fetch. I hope that a solution will come soon from GMap team side or Chromium team side.

Regards,
Olivier

--
You received this message because you are subscribed to the Google Groups "Google Maps JavaScript API v3" group.
To view this discussion on the web visit https://groups.google.com/d/msg/google-maps-js-api-v3/-/QTvveRWrI5QJ.

To post to this group, send email to google-maps-js-api-v3@googlegroups.com.
To unsubscribe from this group, send email to google-maps-js-api-v3+unsub...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages