[panel] mapbox doesn't load when using a token with url restrictions

rasteiner commented 2 years ago

Hello Sylvain :)

In the panel, Mapbox tiles can't be loaded when using a "non public" token. This is because the Kirby panel (since 3.4) blocks the referrer header (here).

I don't know if this should be an issue with Locator, the Kirby panel or Leaflet.

Locator could circumvent this issue by overriding the meta tag, with something like:

document.querySelector("meta[name=referrer]").content = "origin";

Kirby could solve this by using a less strict referrer policy. Something like "origin" or "no-referrer-when-downgrade"...

Leaflet could solve this by adding a referrer policy to their tiles. Actually they did this a few days ago, but considering their last "release" was in september 2020, I don't know how long it will take to get this option in a stable version...

I will crosspost an issue also on Kirby, and then link here.

sebastiangreger commented 2 years ago

Hi! I just added a bit of context/history about that strict referrer policy of the Kirby panel in a comment on that issue in the Kirby core repo.

I'm not able to try this out right now and this is based on a really quick glance at the plugin's code, but I think this might actually be possible to resolve by changing line https://github.com/sylvainjule/kirby-locator/blob/73553ece28d6c92e6075a240917de8c1cb5a368a/src/field/Locator.vue#L38 to <div class="k-locator-container" referrerpolicy="strict-origin-when-cross-origin"> or whatever is the strictest policy that Mapbox accepts for verification.

An element-specific referrerpolicy overrides the page-wide policy for this element and all its children, hence it should (?!) also be inherited by any image elements of the map? My apologies in advance if I'm overlooking something obvious – we did this for an iframe over at the kirby-embed plugin (Github issue) but I haven't actually ever tried this for JS-generated elements.

rasteiner commented 2 years ago

I didn't know that referrerpolicy is inherited by child elements, actually I thought that it would be only valid on img / a / iframe / script / etc... elements. I'll try this out and let you know :)

rasteiner commented 2 years ago

Are you sure it worked for the other plugin? According to my tests done now, it doesn't really seem to be inherited, at least not in Chrome and MDN only says

You can specify the referrerpolicy attribute on \, \, \, \, \<script>, or \<link> elements to set referrer policies for individual requests</p> </blockquote> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/sebastiangreger"><img src="https://avatars.githubusercontent.com/u/6355217?v=4" />sebastiangreger</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>You are actually right! I did some deep digging into the W3C spec where that inheritance rule is <a href="https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-inheritance">defined in the usual cryptic way</a> so it appears not to be working on a <code><div></code> the way I had previously understood. The other plugin was a different scenario, as it was a simple iframe-based embed; that worked flawlessly.</p> <p>I, too, just ran some tests and got the same results (i.e. none). There would still be the option to apply a <code>referrerpolicy</code> attribute to the script tag importing the script; see <a href="https://html.spec.whatwg.org/multipage/scripting.html#attr-script-referrerpolicy">https://html.spec.whatwg.org/multipage/scripting.html#attr-script-referrerpolicy</a> for reference. How this applies and/or can be tweaked in Vue or the Kirby Panel, I don't know – that's a whole over dimension of inheritances etc. And I'm not even sure where we'd have to put this.</p> <p>This is a really intriguing case, but right now I'm a bit on the edge of my technical skills to experiment further… I still want to believe that it should be possible to set a policy for something I embed on a page (here: a JS library that loads map tiles) which is then observed by the included script (i.e. Leaflet). But maybe I'm just chasing a :rainbow:?</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/rasteiner"><img src="https://avatars.githubusercontent.com/u/6684137?v=4" />rasteiner</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>In this case the refer(r)er needs to be sent on the single image tiles, so even if we would include leaflet with a referrerpolicy attribute, the images created by leaflet wouldn't automatically "inherit" the policy. The only clean way to solve this would be leaflet setting the policy on their image tags (like they did here: <a href="https://github.com/Leaflet/Leaflet/commit/f1f4e05ba1f530672423458e1f70ac44dee4fb77">https://github.com/Leaflet/Leaflet/commit/f1f4e05ba1f530672423458e1f70ac44dee4fb77</a>), but as already mentioned we would have to wait for them to release version 1.8.0, but <a href="https://github.com/Leaflet/Leaflet/milestone/37">that milestone</a> has "no due date" and is 65% done.</p> <p>Anyway, one strategy could still be "just wait until 1.8.0". In the meantime I've "fixed" my issue with a plugin that does this:</p> <pre><code class="language-js">document.querySelector("meta[name=referrer]").content = "strict-origin-when-cross-origin";</code></pre> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/sebastiangreger"><img src="https://avatars.githubusercontent.com/u/6355217?v=4" />sebastiangreger</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Good to hear you found a pragmatic workaround (on a side note: it has always baffled me that browsers accept such change to the global <code>referrerpolicy</code> after the load event; but it's apparently evaluated at the time of the click event).</p> <p>As of these results, I concur with your assessment. Good to learn that there was yet one more scenario (scripts loading stuff into the panel via API) that we hadn't yet come across in those earlier discussions. I'm hoping to run a few more experiments when I find some spare time – just out of curiosity to thoroughly "x-ray" all aspects of this – and would ping you if I find any surprise leads …not putting my hopes up, though :slightly_smiling_face:</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/sebastiangreger"><img src="https://avatars.githubusercontent.com/u/6355217?v=4" />sebastiangreger</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>So, after some more reading and experimentation, I would indeed conclude that there is no way to selectively relax the referrer policy for these map requests. As you pointed out, the policy for scripts' fetch requests are not inherited from any elements but from the document meta or (with lower priority) the HTTP header. The suggested feature for Leaflet 1.8.0 will be the only way to change this in a "clean" manner.</p> <p>Your creative workaround solution however made me think whether this "hack" couldn't be turned into an integrated feature – and after a bit of digging I discovered the right events for the job: if #47 should prove reliable and stable, I see this as the best stopgap solution to solve this. It would allow to maintain the Kirby panel's strict privacy-by-default philosophy while still allowing to embed libraries like Leaflet that do not support explicit fetch request policies.</p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/sylvainjule"><img src="https://avatars.githubusercontent.com/u/14079751?v=4" />sylvainjule</a> commented <strong> 2 years ago</strong> </div> <div class="markdown-body"> <p>Many thanks to both of you for looking into it ! 🙏 I have merged #47 and will revert once 1.8.0 is out (92% now).</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

sylvainjule / kirby-locator

[panel] mapbox doesn't load when using a token with url restrictions #46