In the official docs is said
If your add-on functionality demands it, you can use a * character as
wildcard in the whitelist.
I have tried multiple ways to define it with no luck. Could somebody show a simple example how it can be done?
Link to a problem I have related to this topic
You can't use wildcards.
You need a complete domain or don't use Whitelist at all (is not recommended).
This part of documentation explains:
Whitelisting URLs
The prefixes you add to the manifest must satisfy the following requirements:
Each prefix must have a full domain.
Related
Based on documentation here
I added http restrictions using wildcards like so:
https://*.mydomain.com
https://*.mydomain.com/*
This should cover all paths for all subdomains, but I receive RefererNotAllowedMapError error when I try to use https://www.dev.mydomain.com/#/
I even tried explicitly adding https://www.dev.mydomain.com/#/, but I get same error.
I am totally lost and have no idea what to do. Clearly other people are using Google Maps APIs and not leaving them totally unrestricted so there has to be a way to do this.
Try adding these two HTTP restrictions instead:
*.mydomain.com/*
mydomain.com/*
These two will allow your API key to be used in all sub-domains and paths in your website.
Adding (*.) before your domain will allow something like "www.mydomain.com" or "dev.domain.com" to access your API key.
Adding (*) after your domain will allow something like "domain.com/path" to access your API key.
I would like to use Google safe browsing to find malicious domains, and I doubt that it reports the whole domain(like example.com) as malicious if only a specific path in the domain (example.com/path1/maliciousfile.html) is malicious. So if I check the domain example.com, it returns nothing (means the domain is clean). Are my assumptions true? if yes, Is there a way that I can check if there exists a malicious path in a given domain (without knowing the specific malicious path).
Thank you,
As I understood from the documentation, it just checks against list of URLs.
How to add your localhost website to google recaptcha domain list. My domain name is localhost:8888/folder/index.php
When adding the above domain name you get "URL starts with an invalid scheme" error.
To add the localhost to reCAPTCHA domain list you have to be careful in following steps:
Remove http:// or https:// from the url.
Also remove the www. from url.
Do not add port number (e.g. localhost:8000)
You can just add localhost or 127.0.0.1
if you want to add your site (e.g. http://www.example.com) then just add example.com
You need to get at least a free DNS and point it to your localhost. Google does not allow non domain names to be used.
What you can attempt to do is create an api key for another valid name and see if it works. They have been tightening down on api keys and I have seen a lot of keys no longer work that were used across more than one ip/domain.
All sub directories are not valid. Once you have a domain name pointing to the subdirectory then by default it will work across all sub directories of that domain name. Same applies to SSL.
I'm getting an error "Localhost is not in the list of supported
domains". This was working before, what should I do?
localhost domains are no longer supported by default. If you wish to
continue supporting them for development you can add them to the list
of supported domains for your site key. Go to the admin console to
update your list of supported domains. We advise to use a separate key
for development and production and to not allow localhost on your
production site key.
1: Create a separate key for your development
environment
2: Add 127.0.0.1 to the list of allowed domains
3: Save changes and allow up to 30 mins for changes to take affect
For anyone trying to get Recaptcha (especially invisible Recaptcha) working when they have javascript disabled except for specific whitelisted sites: this actually worked for me. Just add [*.]localhost to the javascript whitelist.
I have obtained a Google Maps API key for my domain.
The examples provided when I obtained my key show the key embedded in request parameters, for example:
<script src="http://maps.google.com/maps?file=api&v=2&sensor=true_or_false&key=my-key" type="text/javascript"></script>
I appreciate that the referrer field in requests must match my domain, is it safe to make my key visible in script tags and the like? Or are there any other steps I should take?
Considering that key has to be included in the <script> tags of your HTML pages, to load the JS files/data from google's servers, there is nothing you can do :
you must put it in your HTML files
every one can take a look at those.
Still, it doesn't really matter : if anyone tries to use this key on another domain than yours, they will get a Javascript alert -- which is not nice for ther users.
So :
There is nothing you can do ; this is the way it works
And there is not much you should worry about, I'd say.
There is setting on Google API console that can protect your API bandwith usage from being used by another domain/user. You can restrict and protect that by using referrer on the API console. API Key will reject requests without referrers that match your restrictions.
Here is screenshot from Google for API Key that can only be used by Google frowm its two domains.
Though this question is a few years old it's a very good one. As I understand it exposing API keys, even if they are domain matched, could still lead to abuse. There's a post on Security Stack Exchange here that covers this in more detail.
The steps that you can take to avoid potential abuse have been published by Google here:
Best Practice Guide for securely using APIs:
https://support.google.com/cloud/answer/6310037?hl=en
Though I would recommend taking all of it on board, there is an approach that would deal with the specific example that was posted by Brabster and that's to store the key in an environment variable. This way all you need to do is to substitute the key for a server-side variable that is stored within your project. However, be sure not to commit the file that stores the key to a public repository.
You should use back end/server side to protect and handle key. In my case I used Django f/w server side which can serve a ajax call to get the key from server script/db then pass it onto google api.
Is there a way for me to get at a list of the URLs on my website which people have bookmarked on the delicious.com website? Their documentation appears to make no reference to wildcard searches or anything other than individual URLs. Any suggestions?
Delicious.com provides feeds to query information about URLs, but the function only accept an md5 hash of the URL you want to look up. It looks like it's impossible to perform a single query with a wildcard search via the currently exposed public API. A hack would be to create a list of of valid URLs of your site and then query Delicious for each of these URLs keeping in mind the inter-request delay of 1-second as well as other restrictions.