Mapbox-gl-js: Allow Cross-site Source Data Request with Credentials

Created on 30 Dec 2016  路  6Comments  路  Source: mapbox/mapbox-gl-js

Motivation

What use cases are we trying to accommodate?

Source data may contain private data that requires authentication. Furthermore, the data may be hosted at a different http origin than the map application. Currently, cross-site MapBox ajax requests will not pass authentication tokens.

Design Alternatives

Add a boolean option to the various types of sources called "withCredentials", where if it is true the XMLHttpRequest will have the withCredentials option set to true. For example:

"mapbox-streets": {
"type": "vector",
"url": "mapbox://mapbox.mapbox-streets-v6",
"withCredentials": true
}

Concepts

How will we teach this design?

In the style spec, add a description of the new option.

Implementation

How you would implement the design in Javascript?

var xhr = new window.XMLHttpRequest();
xhr.open('GET', url, true);
xhr.responseType = 'arraybuffer';
xhr.withCredentials = withCredentials;
feature
Source
picture jasonpepper
👍7

Most helpful comment

Without this feature, it isn't possible to have secure map data. Signing URLs have too much of an overhead. I think @x9xjdzz9 's proposed design makes sense.

picture CrokinoleMaster on 10 May 2017
👍4

All 6 comments

For the same reasons as https://github.com/mapbox/mapbox-gl-js/pull/2918, I'm not sure this feature fits the TileJSON ethos. This may need to depend on #3326.

lucaswoj picture lucaswoj on 4 Jan 2017

@lucaswoj those two issues look closed. Any plans on allowing credentials?

CrokinoleMaster picture CrokinoleMaster on 9 May 2017

this feature is not on our current roadmap @huaruiwu. if you'd like to bump it up in the priority rankings, we gauge the popularity of feature requests by reactions on the issue's original post 馃憤

mollymerp picture mollymerp on 10 May 2017

Without this feature, it isn't possible to have secure map data. Signing URLs have too much of an overhead. I think @x9xjdzz9 's proposed design makes sense.

CrokinoleMaster picture CrokinoleMaster on 10 May 2017
👍4

We're looking to swing json and image hosting over to Cloudfront using Signed Cookies, and after struggling to track down what was happening, it appears we're running into this exact same issue. :(

rayterrill picture rayterrill on 4 Aug 2017

Closed in #5021

asheemmamoowala picture asheemmamoowala on 4 Aug 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

infacq picture infacq  路  3Comments
aendrew picture aendrew  路  3Comments
bgentry picture bgentry  路  3Comments
shotor picture shotor  路  3Comments
BernhardRode picture BernhardRode  路  3Comments