My dashboard can show Google Maps using my Google Javascript API, but only if I remove all restrictions(!). This means anyone can use it, if they know my key. I don’t want this situation. Google allows me to enter websites, or filepaths, etc… to be allowed.
What is the actual referer, from Google’s perspective, to the Google Maps API?
What to tell Google to allow my Losant dashboard to access my API?
The text shown, or with https, doesn’t work (gives error “Google Maps JavaScript API error: RefererNotAllowedMapError
https://developers.google.com/maps/documentation/javascript/error-messages#referer-not-allowed-map-error
Your site URL to be authorized: about:srcdoc”).
So from a certain perspective, there is no actual referrer - the Custom HTML block is instantiated as a blank iFrame before your custom content is added. Have you tried the suggestion from the error message, making about:srcdoc a valid referrer?
I’m going to look into this a bit myself, and see what restrictions I can place on a Google Maps API key - but let me know if about:srcdoc works.
I can confirm that restricting the key to about:srcdoc works for a custom google map block I put together - let me know if that works for you!
I cannot get it to work. Where did you put the text about:srcdoc to get yours to work? I get a strange error from Google page after I try to SAVE it.
Hmm, I had no trouble entering it, I just typed about:srcdoc and it let me add it:
I deleted the other entry I had and it took it.
Is there a way to personalize it (i.e. secure it) more than that?
Using about:src, my key will now accept any Losant API requester who knows that text (basically anyone who knows how to get this far), which is better, but not best.
Great, glad it is working!
At the moment, I do not think it is possible to make the referrer more specific than that. I’m going to add a feature ticket for that or some similar capability.
Is there any more news on this?
Google will still accept ‘about:srcdoc’ has the referrer when restricting the key, which isn’t restricting the keys usage, and using the key in any iframe could cause it to work.
