I'm trying to implement Google's Time Zone API and even though I have generated a Browser API key, added it to my code, and added the referrer to the Google Developers Console, I am still getting the following error when trying to use JavaScript to return the data:
This IP, site or mobile application is not authorized to use this API
key. Request received from IP address 12.34.56.789, with referer:
https://www.example.com/timezone
My referrer in the developers console is
*.example.com/*
The documentation says I need a server key but I tried and it didn't work either (and it doesn't make sense to need a server key vs a browse key).
And ideas of what I can check to see why this isn't working? If I delete the referrer, everything works. So, I know it has something to do with that but the referrer matches the wildcard according to Google's own documentation. Furthermore, even if I enter the referrer exactly as the error indicates, I still get the REQUEST_DENIED status.
Figuring this was a bug in the API, I logged an issue with Google support. Turns out, there currently does not exist a JavaScript API for time zone, only a Web Service that requires a Server Key. Here's the link to the issue on Google Code.
Still needing a way to get timezone info from lat/lng I started using timezonedb.com. There is no way to limit referrer but at least it's something.
Related
As you may have noticed from previous questions, I'm building a web site that will support authentication via Webauthn using Yubikeys (maybe other tokens later). As part of that process I'd like to be able to (1) detect whether or not an authentication token is already present, so I can prompt the user to insert one if not, and (2) determine what type of token is inserted, so I can include an image of the token with helpful animation/instructions about how to use it when it comes time for them to verify their presence by (with Yubikeys) pressing a touchpad or other contact.
Offhand I don't see anything in the navigator.credential API that seems to suggest that this is possible, and maybe it would violate all sorts of Javascript security limitations if client code is allowed to probe devices, but I just wondered if anyone has any hints about how such a thing could be done?
Thanks!
Indeed, this cannot be done to prevent tracking users against their will based on their available authenticators.
The most that can be determined is if the browser is running on a platform with a built-in authenticator via [isUserVerifyingPlatformAuthenticatorAvailable][2]
See also some recent related discussion in the spec repository https://github.com/w3c/webauthn/issues/1563
Currently, I'm trying to implement Google Map Autofill address functionality to get the address latitude and longitude on my website.
I've created a Google Maps JavaScript API key on Google Console and insert the API key in the script:
<script src="https://maps.googleapis.com/maps/api/js?key=[api_key]&libraries=places&callback=initAutocomplete"
async defer></script>
when I'm running the project in localhost, it's giving me the autofill suggestion addresses along with the latitude and longitude for the particular address which I've chosen.
But, when I'm trying to run the project on a live server it's giving me several errors. Fixed all the errors, but still, it's not giving me the result.
Tried for 5-6 days, tried different APIs, but the result is same.
Even I copied the code from https://developers.google.com/maps/documentation/javascript/examples/places-autocomplete-addressform and inserted my API key, but nothing seems working.
Can anyone suggest what I need to do?
The error you get is indicating that the API key used has referrer restrictions, and the domain you are trying to use the API key on is not an authorized referrer.
It's possible that you may need to add asterisks for wildcards to your authorized referrers. For example your test link:
http://test.digiegeeks.com/gmap/
You should authorize something like:
*.digiegeeks.com/*
Or for your secure p4programming domain you mentioned, something like this:
*.p4programming.net/*
If you include asterisks as shown above as wildcards, do you still get the referrer error?
I hope this helps!
I am getting the error RefererNotAllowedMapError from some PC's when I load a page on my site.
RefererNotAllowedMapError
The current URL loading the Google Maps JavaScript API has not been
added to the list of allowed referrers. Please check the referrer
settings of your API key on Google Cloud Console.
See API keys
It works OK on FireFox from 3 out of four of the machines I have tested.
Generally this would mean that the domain is not added as a referer in my API console but it definitely is, and it definitely works on other machines.
Anyone else had this issue or able to provide some guidence?
Recreating the API key at console.developers.google.com fixed the issue for me.
Try to add all type of urls like:
http://stackoverflow.com/*
http://www.stackoverflow.com/*
*.stackoverflow.com/*
Definitely it will work.
Note the DOT at the beginning of the expression, it's a char!
*.stackoverflow.com/* // this will not work with http://stackoverflow.com and will allow for domains such as demo.stackoverflow.com
Replace above with:
*://stackoverflow.com/* // now it will cover all domain variation but not subdomains.
For me to use Places API I had to turn on Maps JavaScript API
This gives error because your Google map API key is not a browser key. Create new key as 'browser key'. This option is available when you create a new key.
I had a similar issue where I was trying to use the API but had it restricted to Map product only. It generated the same error even though http referrer box had nothing in it (open for all). The problem went away after recreating a new key without any product restriction.
Creating an new Browser Key fixed it for me.
https://console.developers.google.com/projectselector/apis/credentials
RefererNotAllowedMapError Error The current URL loading the Google
Maps JavaScript API has not been added to the list of allowed
referrers. Please check the referrer settings of your API key on the
Google API Console.
See API keys in the Google API Console. For more information, see Best
practices for securely using API keys.
The only thing that worked for me was to create a brand new key w/no restrictions, including no API restrictions.
This won't be a working solution in the production environment, but it allows us to move ahead w/development.
The solution to every/such Maps Javascript API error varies for different scenarios for different developers. A list of errors with detailed description is given by google here
Nevertheless please refer the below snap:
As you can see above under Application restrictions just by selecting the HTTP referrers won't do. You have to add a URL(i.e the URL of the website from which the api will be called to render the map).
Now the exact page(in my case the contact us page) which is gonna make the request to the api needs to be mentioned in the url and not just the domain.
Please go through the examples given in the documentation on the right
Adding a /* after the domain url like http://www.telesuprecon.com/* will make the request possible from any page within your website.
I recently made a Chrome Extension (FrontPage) which uses the New York Times API.
I send an AJAX request to the API and it responds with JSON. However, in order to be able to do so, I need to set permissions in the manifest.json file to be https://api.nytimes.com/* thusly:
...
"permissions": [ "https://api.nytimes.com/*" ],
...
in order to not have the Extension crash and burn and give a Cross Origin rejection.
However, any time a user installs my Extension from the Web Store, they get a scary looking warning along the lines of: "[The extension] Can access all your data on api.nytimes.com".
All I'm doing is sending a request and receiving + parsing a response from a public API. The warning seems excessive. I'm not storing in any way, any user data.
Is there a way around this i.e. is there a way to use an API in a Chrome Extension without displaying to the user this warning? Am I approaching this in a non-canonical way?
There is no way to do what you are asking. chrome is just informing users what your app can do. They have no way to trust you. What I suggest you do and what I have seen others do is inform potential down-loaders of the warning on your apps description page.
Something like
`Warning: you may get a scary warning message blah blah because my
extension blah blah, I don't do anything with your data, I encourage
you to look at the source if you are curious."
Most people are used to seeing and accepting these warnings by now anyways. Yours actually make a lot of sense, because users can intuitively see how that page is related to your extension.
Read and modify all your data on all websites you visit
Is a bit more tricky to deal with.
To more directly deal with your original question: Its the stuff you put in the "permissions" array that determines what warnings (if any) get generated.
Here is a list of all of the possible warning messages and the permissions they apply to. The page also contains a listing of the permissions which don't generate any warning messages.
If the API is public, then chances are that it has permissive CORS headers enabled.
Some anecdotal evidence from the developers forum suggests it is the case for NYTimes API, for at least some endpoints (can't test it without an API key). If it's not enabled for the endpoint you are using, you can request that.
In that case, you don't need a permission for cross-origin requests to that API, XHR should succeed anyway.
Answers by Xan and Luke are of course correct but haven't mentioned an important alternative that will help you:
You can make it an optional permission and request it later at run time prefaced with an explanation as to why it's needed (better yet first ask for it, and if the user declines then explain them they must accept).
Just remember optional permissions must be asked after a user action, so show a modeless dialog with a button and ask for permission when the button is clicked. i had a similar issue in my extension.
In my case i just needed to create and read a specific google spreadsheet but that means asking for their entire google drive for read/write.
When you setup a google analytics profile and you specify the domain, does google make any sort of validation prior of registering a hit?
Does it check that the call comes from the specific domain, based on the key you are provided (ie UA-11580xxxx-xx)?
If I get the above analytics key and put it in another domain, will the hits on that site be registered for the domain for which the key was generated?
Thanks
Sort of.
By default, Google Analytics accepts hits to your account without ever checking where it comes from, so you could register your domain as foo.com, and still forever send traffic from bar.com without any trouble (or from a mobile app, etc).
However, Google provides an optional validation tool that will crawl the page of the website you provide, in order to validate whether or not you installed it correctly. But usage of this tool is optional, and is not a prerequisite for successfully sending and receiving data.
I believe it does. I dynamically generate my Analytics JS code just from the key, and, when I've put the wrong one in, I'm pretty sure the traffic appears to go to the wrong site.
I'll re-test one of my sites to make sure...
When you put the analytics code in the bottom of your HTML(with the key you got from google), first day you don't see anything, because Google is then already counting all visits on your website. after a day you can see result from the previous day.