I have created an API Key, assigned Static Map api only and applied referer policy e.g. www.example.com.
My expectations was this api key should only succeed if http referer header equals to "www.example.com".
When I tried, it's working as below:
Successful response when referer header is "www.example.com"
Unsuccessful response when referer header is not blank and some other value
Successful response when NO referrer header is provided.
Point 1 and 2 is fine however I point 3 shouldn't have been successful. Am I missing something? Is this how referer policy implemented for maps?
I tried by creating new keys as well but same results.
Thanks in advance.
Related
I need to secure my paid google map API key in google developer console.
I had try this in 'Credentials' tab, in api key settings.
Field label 'Accept requests from these HTTP referrers ...'.
If I'm right, this *.dev2.urelay.xyz/* must be useful for this URL - https://dev2.urelay.xyz/
But it doesn't work for me, I got this error in my console
Google Maps API error: RefererNotAllowedMapError https://developers.google.com/maps/documentation/javascript/error-messages#referer-not-allowed-map-error
Your site URL to be authorized: https://dev2.urelay.xyz/
*.dev2.urelay.xyz/* doesn't match https://dev2.urelay.xyz/ because it requires a period (.) that isn't in that URL.
dev2.urelay.xyz/* would match it. You only need the form *.dev2.urelay.xyz/* if you have a subdomain of dev2 that needs to host a map (like https://www.dev2.urelay.xyz/)
When i have put the url below to my browser adress bar i get a 'not found' text.
https://www.googleapis.com/geolocation/v1/geolocate?key=API_KEY
I have registered my app at console and get a api key for that application. I have even provide my credit card data at console and started my trial membership.
I am expecting that it returns me some json. But it doesn't. Why google is not recognize my api key and gives me not found page?
The URL https://www.googleapis.com/geolocation/v1/geolocate?key=API_KEY is for sending POST requests. Since you are navigating it directly in your browser, it won't return any result.
You need to send a POST request with Request body to get the desired result.
Please refer to the Documentation page for Geolocation requests to get more information on creating your Request.
I was able to successfully show the google maps on this page when the url was only http , now I after making it as https , it is giving errors like :
NetworkError: 403 Forbidden - https://maps-api-ssl.google.com/maps/api/js/ViewportInfoService.GetViewportInfo?1m6&1m2&1d41.88098829471135&2d-87.65924221147355&2m2&1d41.88841667852121&2d-87.6252154211187&2u17&4sen-US&5e0&6sm%40347000000&7b0&8e0&9b0&callback=xdc._1eql41&token=45632
Any suggestions on what I am missing here?
Based from this documentation, your http request should look more like this: http://maps.googleapis.com/maps/api/service/output?parameters. HTTPS is required for all Maps API web service requests containing user data, or developer identifiers. Requests made over HTTP that include sensitive data may be rejected.
Found also in this HTTP and HTTPS protocols are considered different URLs documentation that if HTTPS is authorized, HTTP is not necessarily authorized. If you'd like to authorize both at once, you may add a domain without using a protocol: example.com/.
A 403 Forbidden error means that you do not have permission to view the requested file or resource. While sometimes this is intentional, other times it is due to misconfigured permissions.
Why am I receiving a HTTP 403 Forbidden response to my Maps API web
service
requests?
An HTTP 403 response indicates a permission issue, likely because the
signature could not be verified for this request. This could be
because:
A signature has been specified but is incorrect for this request.
The request specifies a Google Maps APIs Premium Plan client ID but does not specify a signature, and the web service being called
requires that all requests made using a client ID include a valid
signature.
A signature has been specified but the associated Google Maps APIs Premium Plan client ID has not been specified.
Hope this helps!
I'm confused about how the HTTP Referrer settings work on Google Maps API Browser Keys.
I'm building a webpage that programatically requests images from Google Maps (primarily the Google Maps Street View Image API, but also does some queries of MaxZoomService and the Static Maps API from the Javascript API).
If I create a Browser key without an HTTP Referrer, it works great.
If I create a Browser key with an HTTP Referrer that matches the domain the page is loaded from, I get 403 errors. I'm using a referrer like *.mydomain.com/*
What's going on? If i set the HTTP Referrer to match the domain the page is loaded from, wouldn't that be correct usage of the referrer? I can go without, but am afraid that opens me up to others grabbing my key and using it. Am I misunderstanding how the referrer works?
According to the HTTP referrer placeholder in the console, the *.example.com/* should indeed work.
In practice, though, this indeed doesn't seem to be the case!
I was able to solve the issue by simply setting the referrer to:
example.com
For more information, have a look at Registering authorized URLs. Good luck!
If you use *.example.com/* you would have to come from either www.example.com or another subdomain, but this won't work if you are coming from example.com (notice the period in the first part of the URL)
If you have some sort of redirect to example.com that strips out the first part of the URL, the best regex to use in this case is simply *example.com/* that would cover all subdomains behind example.com, http or https and all contexts after your domain.
Hope it helps.
The google drive sdk documentation in "Work with Files and Folders" section says something about the header of a post. Which is:
POST https://www.googleapis.com/drive/v2/files
Authorization: Bearer {ACCESS_TOKEN}
Content-Type: application/json
What does this mean? Does the header really exist on a jsonRequest? Where should this post go to? Should we type the header first, then, put in the json request along with the json string then post it to the server? Or does the ACCESS_TOKEN and the rest of the information be posted along with the URL as a get, like this?
POST https://www.googleapis.com/drive/v2/files?access_token={ACCESS_TOKEN}&etc=whatever&...
I understand that you need to be given an access token or an API key, but where does this go? Does this go on the url string, or does it go inside a post value or jsonRequest?
I've read the jsonRequest in json.org, but still can not get it. Do I need to consider what my content-type, content-length, and content-encoding really means? And if ever I will, where should all of these information go?
Sometimes, the answer is just staring right at my face, and before I know it, I already miss the point. So, can anybody shed me some light?
The Google Drive API is a RESTFul API using HTTP requests as the communication mechanism. The Authorization header is an HTTP header that needs to be sent along the request to authorize it. JSON is only used as the resource representation.
However, the Drive API also supports passing the OAuth 2.0 access token as a ?access_token= query parameter which can be more convenient for you.
If you are using one of supported client libraries, all this is taken care of for you through class abstractions.
The header is a standard part of an HTTP request. The standards of an http request are header fields and request methods.
POST https://www.googleapis.com/drive/v2/files
Request methods on this example is a POST and it sends the data to google drive api server. This means, the Google Drive API will accept POST requests.
Authorization: Bearer {ACCESS_TOKEN}
The Authorization, in this case, is an ACCESS_TOKEN which is the API_KEY. The server may receive also a GET request. The server checks to see if the user is authorized before it does its process: create, delete, update, or get files (depending on what the Http Request json data sends).
Content-Type: application/json
The Content-Type tells the server that the Mime Type of the HTTP request that will be sent is a json string. The Mime Type may be already a standard for the server, which means that you don’t even have to put it anywhere in your code because it assumes that you will be sending a json string, and it will receive it once you do POST. Otherwise, it will give an error. Content-Type field will always receive the Mime Type. (For a list of Mime Types, you may refer to http://en.wikipedia.org/wiki/MIME_type.)
Since HTTP Header is a standard, you will need to know what type of standards there are that Google Drive API server uses. Then, follow wherever the header fields are placed. For example, the ACCESS_TOKEN is located in the url string as a GET, and json string is located in a POST. (For a list of HTTP Header, you can also get a reference from http://en.wikipedia.org/wiki/List_of_HTTP_header_fields.)