search

mapbox / mapbox-gl-geocoder

Geocoder control for mapbox-gl-js using Mapbox Geocoding API
https://mapbox.com/mapbox-gl-js/example/mapbox-gl-geocoder/
ISC License
364 stars 180 forks source link

Supply referrer in API requests #271

Open peterqliu opened 5 years ago

peterqliu commented 5 years ago

domain-restricted API tokens need a referrer URL to work properly. Safari 12.1.0 currently throws a 403: Forbidden without one.

peterqliu commented 5 years ago

Somehow, Chrome sends the referer anyway, enabling it to work normally

ZiZasaurus commented 4 years ago

I ran into this issue as well. When trying to run the geocoder example in Safari, I end up receiving a 403 error.

andrewharvey commented 4 years ago

According to https://developer.apple.com/library/archive/documentation/AppleApplications/Conceptual/SafariJSProgTopics/XHR.html Safari won't send the Referer header with an XMLHttpRequest for cross-site requests, however it will send the Origin header which at least contains the domain name.

Although access tokens can be restricted based on the full URL, as far as I can tell there is nothing we can do about this in mapbox-gl-geocoder.

It could be that the Mapbox API should treat requests from Safari differently and check for the origin where a referer is not provided.

If anyone wants to see this fixed, I suggest the best course of action is to try and confirm if this is fixable in mapbox-gl-geocoder or not, and if not we can push back to Mapbox to see if a server side fix could be implemented.