New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

referer string for imagery request #3197

Closed
althio opened this Issue Jun 27, 2016 · 3 comments

Comments

Projects
None yet
2 participants
@althio
Contributor

althio commented Jun 27, 2016

Hi iD team,

Is there a 'referer' string or anything similar, that could be used to identify a request issued by iD?

The use case is to allow access to some imagery only for OSM tracing (hence trying to detect iD and JOSM users to provide them the tiles).

@bhousel

This comment has been minimized.

Show comment
Hide comment
@bhousel

bhousel Jun 27, 2016

Member

The way we handle this in the Mapbox Imagery layer is to append an access_token parameter to the request: see editor-layer-index sources/world/MapBoxSatellite.json

Member

bhousel commented Jun 27, 2016

The way we handle this in the Mapbox Imagery layer is to append an access_token parameter to the request: see editor-layer-index sources/world/MapBoxSatellite.json

@althio

This comment has been minimized.

Show comment
Hide comment
@althio

althio Jun 28, 2016

Contributor

Good to know, but it looks like a public token. is it so?
Is that enough for a private/exclusive access?

What is the recommended way to handle private access to imagery, where imagery provider wants to allow usage for OSM tracing only, but restrict other uses?

Contributor

althio commented Jun 28, 2016

Good to know, but it looks like a public token. is it so?
Is that enough for a private/exclusive access?

What is the recommended way to handle private access to imagery, where imagery provider wants to allow usage for OSM tracing only, but restrict other uses?

@bhousel

This comment has been minimized.

Show comment
Hide comment
@bhousel

bhousel Jun 28, 2016

Member

Good to know, but it looks like a public token. is it so?
Is that enough for a private/exclusive access?

Yes it's a public token that would need to be rotated if anybody abuses it.

If you want truly private access, I guess you could make users go to a page to accept terms, then set a browser cookie. When iD requests images from that domain, the cookie will be sent and you can check for it server side. If the user clears their cookies or switches browsers they will need to go through the process again.

Member

bhousel commented Jun 28, 2016

Good to know, but it looks like a public token. is it so?
Is that enough for a private/exclusive access?

Yes it's a public token that would need to be rotated if anybody abuses it.

If you want truly private access, I guess you could make users go to a page to accept terms, then set a browser cookie. When iD requests images from that domain, the cookie will be sent and you can check for it server side. If the user clears their cookies or switches browsers they will need to go through the process again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment