Based on Google's recent announcement I need a way to load the Google Maps Javscript API from my mobile hybrid/Cordova app. I could whitelist file:/// URLs from my console, but I'd rather not because that means anyone who could learn my client ID could then use it in their own app and I'd have no way to protect myself from that.
Apparently Google now supports some kind of API key, but only for Premium accounts created since January of this year, which mine is not.
Is there some other way to allow my mobile app to access the Google Maps Javascript API without opening up such a risk?
If you are a Standard Plan user: you need to load the Maps Javascript API with a key. Per the current limitation on API keys and file:// URLs, you will have to open up the key. You can star this bug to be alerted of updates.
If you are a Premium Plan user, you also have the option to use a client ID, which can be more tightly secured. You can file a support case to request that your client ID authorizes only the file:// URL(s) that you are using.
UPDATE
Restrictions for file protocol were introduced in Google Maps JavaScript API. You can find information in the official documentation:
https://developers.google.com/maps/documentation/javascript/get-api-key#key-restrictions
file:// referers need a special representation to be added to the Key restriction. The "file:/" part should be replaced with "__file_url__" before being added to the Key restriction. For example, "file:///path/to/" should be formatted as "__file_url__//path/to/*". After enabling file:// referers, it is recommended you regularly check your usage, to make sure it matches your expectations.
Related
I'm developing a Google Workspace extension for Gmail which makes requests to backend API and fetches images from different CDN servers. Therefore it is not possible to include every possible URL in urlFetchWhitelist property of the manifest. Is it possible to add only the server's hostname and use some kind of wildcard to include all of its possible suffixes?
Wildcards are supported in urlFetchWhitelist, but they are limited to sub-domains.
See documentation linked below:
https://developers.google.com/apps-script/add-ons/concepts/workspace-manifests#allowlist_urls
I have a Chrome extension that uses the Gmail REST API to send emails on behalf of the user. This API requires an Oauth2 token, which I'm retrieving using chrome.identity.getAuthToken.
The Problem
However, I am running into some issues with the Chrome Identity API. In particular, if the user authenticates with chrome.identity with a different Gmail account then the one they're signed into Chrome with, then they are prompted to re-login every hour or so (which doesn't happen if the accounts are the same). In addition, I'd like to minimize the number of permissions my extension asks for as a general principle (permissions sometimes introduce warning messages on install and risk disabling existing users on update), so I'd like to not have to ask for the "identity" permission if I can avoid it.
My Question
How can I authenticate the Gmail API in Chrome Extensions without using the Identity API?
Current Progress
I initially tried using Google's Javascript Client for auth, but that seems to be incompatible with Chrome extensions. After having searched other SO issues and some Google materials, it seems that the Identity API is indeed the recommended auth solution in Chrome Extensions. However, for the UX reasons mentioned above, I'm finding this solution problematic. And I do think an alternative should be possible -- for example, the MixMax Chrome extension, which uses the Gmail API, does not ask for the Identity permission.
Any help would be much appreciated! Thanks!
API key for Google maps on the project http://kislorod123.ru does not work
At the same time we added the domain name in 3 versions: http://joxi.ru/BA0N8P7UMqal8m
At the moment, we have removed the restrictions for the maps to work on the sites, because we are a web studio and customers are complaining, but the map does not work either.
Tell me how to solve the problem with the operation of the API in the mode of limited access and without restrictions
You may try using the recommended format of http referrers. Remove all the restrictions for kislorod123.ru then add the following restrictions below:
kislorod123.ru
*.kislorod123.ru
These two will allow your API key to be used in all subdomains and paths in your website.
Also note to remove any duplicate restrictions as this will affect the restriction and may cause error. Also the http:// is not necessary.
I wonder if my Google maps API key is safe the way I use it now. Because I have a Cordova application with Google maps, I have generated an API key. I cannot white-list the key to my domain, because it runs client side on the phone.
Also my API key is visible for anyone who unpacks my app and read the index.html, or listen to the web requests that the app makes.
Is there any way to protect my API key? And if there isn't, it is safe to use Google maps, or any other third party API that uses a API key for authentication?
I see two possible solutions to your problem. Both of them I have already personally implemented (not with GMaps though) but still have some downsides.
(1) You can use a backend technology to add in API keys to your requests. For this it is advisable to use a combination of something like Apache2 mod_proxy and mod_rewrite. In your application you then use URLs that point to your proxy server i.e. https://yourserver.com/js/googleapis/maps/api/js and make mod_rewrite this URLs to something like https://maps.googleapis.com/maps/api/js?key=API_KEY
A rule for mod_rewrite (not tested) could look like this:
RewriteCond %{QUERY_STRING} ^$
RewirteRule ^/googleapis/maps/api/js (.*)$ https://https://maps.googleapis.com/maps/api/js?key=API_KEY
I think you get the idea. The big advantage of this approach is that you can completely hide your private information on a server you control. The downsides are: If your app causes high traffic you will most likely experience high traffic on the proxy machine. Further if attackers figure out the URL to your Google Maps API proxy endpoint it will be easy for them to retrieve the GMaps API through your service.
(2) The second option would be to create a service to retrieve your API keys. Assuming your application already needs some form of authentication anyways you cold go a road where the API key service hands out the API key only to registered and authenticated users.
Both approaches will have their downsides regarding better tooling for debugging mobile-web applications. I.e. an attacker using MacOS, XCode and Safari on a desktop could establish a debugging session to your Cordova application and step debug the JS code that runs inside your App. Which means whatever stretch you make in the Cordova arena it is quite easy to attach to your App and read variables.
No credit to comment on accepted answer but personally, I'd go for the 2nd option suggested by Matthias Steinbauer. However, his concern about an attacker debugging your Production app doesn't apply to apps built with a Distribution Provisioning profile (such as required when submitting to the App Store) - only apps signed with a Developer Provisioning profile. The same goes for Google Apps too. IF it were possible to just debug a prod app, then say goodbye to security.
Having said that, an App's static content can be viewed by others (since app is just a zip file) - so don't hard-code any keys or security info.
Personally, I'd also obfuscate the source when building prod version.
Hope it helps
I am an amateur website developer but proficient in html and javascript.
I have a handful of websites using the Google Maps API V2 with no problem. I tried to upgrade to V3. I got a new API key and used the sample html (based on Australia) provided by Google. All I got was the 'disabled' message.
If I remove the key completely it works! What am I doing wrong?!! (www.gn45.com/gmap.html)
This message appears, because there's a particular domain whitelist, that is configured for each business account. By default, you can always access google APIs with an API key from localhost, but any other domain should be specifically set within account management.
With the mobile application, your index.html is read from the filesystem and then passed to in App Browser. Therefore google rejects a request to the API with API key. You can temporarily remove API key from your request and access the API without any, this way you'll have a 50k request/month limit, which should be sufficient for development purposes.
I'm looking for a way to configure this myself, as soon as I find one, I'll provide an update.