Restricting the maps to certain domains by checking the referrer
1,654 views
Skip to first unread message
Pil
Jan 28, 2012, 3:06:46 AM1/28/12
to Google Maps JavaScript API v3
This is what Google suggests in the docs
http://code.google.com/apis/maps/documentation/javascript/tutorial.html#api_key
"By default, a key can be used on any site. We strongly recommend that
you restrict the use of your key to domains that you administer, to
prevent use on unauthorized sites. You can specify which domains are
allowed to use your API key by clicking the Edit allowed referrers...
link for your key."
Just tried this out. The result was that I'll get this alert when I
call one of my map pages:
"Google has disabled use of the Maps API for this application. The
provided key is not a valid Google API Key, Bla blah..."
My browser is not allowed to give away the referrer. This is for (my
own) security resons and to protect (my own) privacy.
So if I restrict my maps only to the referrers of the domains they are
in use not a single map would work for me.
Taking the referrer is inadequate and not reliable - as Google surely
knows.
http://code.google.com/apis/maps/documentation/javascript/tutorial.html#api_key
"By default, a key can be used on any site. We strongly recommend that
you restrict the use of your key to domains that you administer, to
prevent use on unauthorized sites. You can specify which domains are
allowed to use your API key by clicking the Edit allowed referrers...
link for your key."
Just tried this out. The result was that I'll get this alert when I
call one of my map pages:
"Google has disabled use of the Maps API for this application. The
provided key is not a valid Google API Key, Bla blah..."
My browser is not allowed to give away the referrer. This is for (my
own) security resons and to protect (my own) privacy.
So if I restrict my maps only to the referrers of the domains they are
in use not a single map would work for me.
Taking the referrer is inadequate and not reliable - as Google surely
knows.
Rossko
Jan 28, 2012, 7:01:01 AM1/28/12
to Google Maps JavaScript API v3
> Taking the referrer is inadequate and not reliable - as Google surely
> knows.
What would you suggest that they do accept, from the users browser?> knows.
Pil
Jan 28, 2012, 7:40:09 AM1/28/12
to Google Maps JavaScript API v3
On Jan 28, 1:01 pm, Rossko <ros...@culzean.clara.co.uk> wrote:
> What would you suggest that they do accept, from the users browser?
Maybe I'm wrong, but now I know why many maps won't work for me in the
near future - except I change my browser to always send the currently
called domain as referrer.
Andrew Leach
Jan 28, 2012, 8:51:55 AM1/28/12
to google-map...@googlegroups.com
On 28 January 2012 12:40, Pil <wol...@gmail.com> wrote:
>
> Wasn't there a reliable key-system implemented in the v2 Maps API?
> Maybe I'm wrong, but now I know why many maps won't work for me in the
> near future - except I change my browser to always send the currently
> called domain as referrer.
>
> Wasn't there a reliable key-system implemented in the v2 Maps API?
> Maybe I'm wrong, but now I know why many maps won't work for me in the
> near future - except I change my browser to always send the currently
> called domain as referrer.
The Version 2 system used the referrer as well, but defaulted to
"allow" where there wasn't one. In this case it would be helpful if
the message was more explicit, because in your scenario the key is not
wrong.
I can't see the issue with using the referrer for the API. The
referrer which is calling the API will always be the domain you're
looking at and there should be nothing which identifies you, so there
is no privacy issue. [The IP address could be used to identify you,
but only with some difficulty]
In fact, I'm not really sure what the privacy issue is at all. Why do
you suppress the referrer header?
Pil
Jan 28, 2012, 10:52:40 AM1/28/12
to Google Maps JavaScript API v3
On Jan 28, 2:51 pm, Andrew Leach <andrew.leac...@gmail.com> wrote:
> In fact, I'm not really sure what the privacy issue is at all. Why do
> you suppress the referrer header?
may gather referrer URLs of pages that you have visited. Catchword is:
user profiles.
There are many companies - and I wouldn't exclude Google here - that
are very interested in such user profiles. They never say exactly what
they are really doing with the gathered informations - although it's
easy to guess: Finally they want make money out of it
So suppressing the referrer header is only one precaution amongst
others.
Especially Javascript can be very talkative.
Chris Broadfoot
Jan 29, 2012, 7:21:42 PM1/29/12
to google-map...@googlegroups.com
On Sat, Jan 28, 2012 at 7:06 PM, Pil <wol...@gmail.com> wrote:
My browser is not allowed to give away the referrer. This is for (my
own) security resons and to protect (my own) privacy.
Hi Pil,
Could you tell me how you made this change to your browser?
Cheers
Chris
--Twitter: http://twitter.com/broady
Pil
Jan 30, 2012, 1:35:04 AM1/30/12
to Google Maps JavaScript API v3
Hi Chris,
the easiest way is to use a Firefox customization
// Don't give away the Referrer
// 0=don't send any, 1=send only on clicks, 2=send on image requests
as well
user_pref("network.http.sendRefererHeader", 0);
Now I'd recommend using RefControl to send the root domain of the
visited site as referrer.
http://www.stardrifter.org/refcontrol/
On Jan 30, 1:21 am, Chris Broadfoot <c...@google.com> wrote:
the easiest way is to use a Firefox customization
// Don't give away the Referrer
// 0=don't send any, 1=send only on clicks, 2=send on image requests
as well
user_pref("network.http.sendRefererHeader", 0);
Now I'd recommend using RefControl to send the root domain of the
visited site as referrer.
http://www.stardrifter.org/refcontrol/
On Jan 30, 1:21 am, Chris Broadfoot <c...@google.com> wrote:
Chris Broadfoot
Jan 30, 2012, 4:32:12 PM1/30/12
to google-map...@googlegroups.com
Thanks. I'll test and get back to you.
Note that the new keys support wildcard referrer filtering.
Chris
--
You received this message because you are subscribed to the Google Groups "Google Maps JavaScript API v3" group.
To post to this group, send email to google-map...@googlegroups.com.
To unsubscribe from this group, send email to google-maps-js-a...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/google-maps-js-api-v3?hl=en.
Reply all
Reply to author
Forward
0 new messages