sebastiangreger
commented
2 years ago I further added a referrerPolicy to the geocoder's fetch call. For some reason, that does not seem to have an influence on the policy as far as the Devtools Network tab can be trusted – it's all according to the spec, so not yet sure what am I missing here (I even tried removing the meta tag to ensure that it does not have priority over the fetch call's init object; same result).
One thing to add before considering this a final PR will be if(this.geocoding == 'mapbox') conditions around both the additions from those commits – of the APIs included in the plugin, only Mapbox requires a referer, hence this should follow the privacy-by-default principle when an override is not needed. I left it out for now, as this enables testing with other than the Mapbox API.
sylvainjule
This is what I believe to fix #46 – I ran some tests with the default positron maps in my setup and this appears to reliably change the panel's referrerpolicy meta setting to
strict-origin-when-cross-originbefore tile loading starts (Leaflet tileLayer eventloading) and restore the originalsame-originpolicy after loading tiles (tileLayer eventload).The solution is heavily inspired by @rasteiner's workaround and intended as a temporary fix until Leaflet provides proper means to set a referrer policy for fetch. If it proves to work reliably, this is in my opinion the least invasive workaround, as it should not compromise privacy and security for any other fields in the panel (as the policy remains very strict as long as no tile interactions take place).
It would be interesting to hear how this works with the Mapbox API setup and in other environments. The effect can be observed by checking the referrer policy for the tile files in the Devtools Network tab and/or by looking at the meta tag in Inspector view while refreshing/zooming/panning etc.
Feedback and suggestions for improvements most welcome!