Setting HTTP Referrer on Maps API Browser Key Results in 403 Error

C

2

18

I'm confused about how the HTTP Referrer settings work on Google Maps API Browser Keys.

I'm building a webpage that programatically requests images from Google Maps (primarily the Google Maps Street View Image API, but also does some queries of MaxZoomService and the Static Maps API from the Javascript API).

If I create a Browser key without an HTTP Referrer, it works great.

If I create a Browser key with an HTTP Referrer that matches the domain the page is loaded from, I get 403 errors. I'm using a referrer like *.mydomain.com/*

What's going on? If i set the HTTP Referrer to match the domain the page is loaded from, wouldn't that be correct usage of the referrer? I can go without, but am afraid that opens me up to others grabbing my key and using it. Am I misunderstanding how the referrer works?

Charbonneau answered 23/11, 2015 at 22:29 Comment(1)

Possible duplicate of Google Maps API Referer 403 Error – Drewdrewett 1/8, 2016 at 15:51

D

8

If you use *.example.com/* you would have to come from either www.example.com or another subdomain, but this won't work if you are coming from example.com (notice the period in the first part of the URL)

If you have some sort of redirect to example.com that strips out the first part of the URL, the best regex to use in this case is simply *example.com/* that would cover all subdomains behind example.com, http or https and all contexts after your domain.

Hope it helps.

Degauss answered 24/1, 2018 at 19:25 Comment(1)

Won't this allow someone else to use the same API key from the refer URL anotherexample.com? – Belldame 6/7, 2018 at 0:52

L

14

According to the HTTP referrer placeholder in the console, the *.example.com/* should indeed work.

In practice, though, this indeed doesn't seem to be the case!

I was able to solve the issue by simply setting the referrer to:

example.com

For more information, have a look at Registering authorized URLs. Good luck!

Lanie answered 24/11, 2015 at 15:1 Comment(2)

Ty. In practice it doesn't work how is in their docs. It works only as you answered. – Karolkarola 4/9, 2017 at 6:36

Yup, their docs are stuffed - I opened a support case about it because it took me ages to figure out why it wasn't working until I found this SO Q/A. Their care factor was 0. – Projectionist 16/8, 2018 at 22:12

D

8

If you use *.example.com/* you would have to come from either www.example.com or another subdomain, but this won't work if you are coming from example.com (notice the period in the first part of the URL)

If you have some sort of redirect to example.com that strips out the first part of the URL, the best regex to use in this case is simply *example.com/* that would cover all subdomains behind example.com, http or https and all contexts after your domain.

Hope it helps.

Degauss answered 24/1, 2018 at 19:25 Comment(1)

Won't this allow someone else to use the same API key from the refer URL anotherexample.com? – Belldame 6/7, 2018 at 0:52

Recommended topics

Hot tags