-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to load tiles - 403 Forbidden from whitelisted domain #12568
Comments
Anyone? |
Hi @tommed, Thanks for opening the issue, this looks like a bug. |
@tommed I couldn't reproduce this issue, and the link you provided requires authorization. Could you please share the request headers? |
No problemo. I'll get you these details tomorrow. Thanks for looking at this. |
@tommed sorry for the late response — we've looked into this but haven't been able to reproduce, it seems to work properly on the Mapbox API side. Perhaps there's something in your environment that interferes with the browser setting Referrer headers for requests, e.g. some security policy or a particular extension? |
No problem, will provide additional info as above. |
Ok so, General
Request
Response
CSPThe site's CSP (which obviously isn't blocking this outbound call otherwise it wouldn't be receiving the 401 from your servers), is as follows:
Mapbox API SettingsApproved URLs:
I've triple-checked the mapbox API key in the request and it is indeed accurate. RefereerAs mentioned by @mourner, I have changed the Referrer policy to
Lastly, I even tried setting the referrer policy to |
@tommed In our case, we cannot change the global referrer policy for security reasons. I just opened a PR with a change that lets us set referrerPolicy in |
@robertcepa that's a great solution; seems odd to be able to override the global referrer policy using JavaScript, sounds like something a script injection could also achieve - but I'm assuming smarter brains than my own have decided to allow this in browsers and most likely for this exact scenario. I'll keep an eye on your PR as ideally we don't want to relax our referrer policy either. |
You were right. It was a browser caching thingy. Thanks for the update - shame about having to reduce the referrer policy, but understand the logic behind it. Thanks for everything |
mapbox-gl-js version: 2.12.1
browser: Google Chrome 110.0.5481.77
Steps to Trigger Behavior
mapbox://styles/mapbox/streets-v11
Link to Demonstration
From URL: https://staging.mps.ukp.vipro.online/dashboards/location-tracker
However:
Expected Behavior
Would have expected it to load.
Actual Behavior
403 Forbidden error. Interestingly, the map itself works fine, it just doesn't display any of the tiles.
The text was updated successfully, but these errors were encountered: