I have a very weird page specific error on App Engine with Javascript.
The Page loads in other domains and works perfectly.
Other similar pages in the problem domain also work perfectly.
If you go to any of these
http://headlessuber.com/place.php
http://solomonschariot.com/place.php
http://clintoncars.us/place.php
and type in Space Needle for the location and tab the Lattitude appears, but if you go
http://fastlanesplease.com/place.php
and do the same it does not.
It also works on other pages with identical structures in this and other domains ????
MissingKeyMapError Error
The script element that loads the API is missing the required authentication parameter. If you are using the standard Maps JavaScript API, you must use a key parameter with a valid API key. If you are a Premium Plan customer, you must use either a client parameter with your client ID or a key parameter with a valid API key.
See the guide to API keys and client IDs.
Related
I'm currently using GitHub pages to host my website and I'm making a simple web app that requires an API call. The API call is a web url with certain parameters and one of the mandatory parameters is the personal API key issued from the service which they strictly warn to not share with others cause its the equivalent of sharing your password. This service has no public API keys, only account bonded ones.
In my JavaScript file I have a line that goes something like this:
var api= "https://osu.ppy.sh/api/get_beatmaps?k=[MY API KEY HERE]"
Where this string is then used in a getJSON call.
Where after the ?k= is my account tied API which I do not want to share because its the equivalent of giving out my password. I realised that any user can just go on myname.github.io/js/script.js and they can view the JavaScript and thus see my API key. Is there a way to make it so this file is unable to be accessed or a way to make it so no one can see my API key.
Unless you can isolate this, as in run that code on a server you control and can lock down, the answer is no.
You could also do this "serverless" as in an Amazon Lambda function or equivalent.
Remember, client-side code runs client-side, so if they have access to your key, they have access to your key. The only way around this is to intermediate or proxy the request.
This question already has answers here:
What steps should I take to protect my Google Maps API Key?
(4 answers)
Closed 3 years ago.
How can I mask API Keys and tokens (in JS code and in the http calls headers) so that a person using fire bug or developer tools won't be able to extract it and use it? for example google maps API keys.
Google API key is in my HTML file.
Tokens are in the headers of http
requests, or a parameter in the URL.
APIs in any platform can use an unrestricted API key. However, you have the option to add a restriction to the API key. Once restricted, the key will only work on platforms that support that type of restriction.
To add restrictions for an API key, do the following:
Go to the Google Cloud Platform Console.
From the Project drop-down menu, select the project that contains the API key you want to secure.
From the Navigation menu, select APIs & Services > Credentials.
On the Credentials page, click the name of the API key that you want to secure.
On the API key page, under Key restrictions, set the Application restrictions.
Select HTTP referrers (web sites).
Add the referrers (follow the instructions).
Click Save.
For more information check Google Documentation
Google outlines their API Key Best Practices. I'll highlight two of their recommendations:
Restrict the API so it can only be used from your domain. Even if someone else sees your key, they won't be able to use it unless the web page the request is coming from is your on server/domain. (However, someone might be able to spoof the request as if it's coming from your domain.) You can also restrict which APIs can be called, which makes it less useful for attackers.
Use a proxy-server so your keys are never exposed. Instead of calling Google APIs directly, you make a request to your server, which then calls the Google API and sends the data back. Since your proxy server already knows your keys, private information never needs to be transmitted to the user's browser.
I have searched many links and read documents related to google api key, but every time I am getting the only error of Your site URL to be authorized
I am creating a PhoneGap hybrid application where I am not sure if which URL I have to pass to google api key referrer so I am stuck here
What I am using for google script is:
<script src="https://maps.googleapis.com/maps/api/js?v=3&key=MY_API_KEY&sensor=false" type="text/javascript"></script>
Updated
I have already created Browse Key using google console but now What I have to pass in referrer link ( ? ) while I am creating a cordova application
I Dont know if this will help anyone but I spent a good hour trying to figure out this problem and ended up realizing I had the wrong API enabled.
You need Google Maps JavaScript API enabled.Also sometimes you need to specify https.
1.Leave it blank
2.You need to enable the google maps api for your project.
You need to enable the google maps api for your project.
if your API key have no limitation and it still not work - trying to add signed_in=true to url. It helps for me.
This error means that the current URL loading the Maps JavaScript API has not been added to the list of allowed referrers. Please check the referrer settings of your API key in the Cloud Console. (source: https://developers.google.com/maps/documentation/javascript/error-messages#referer-not-allowed-map-error)
Go to the Google Cloud credentials page to add your website url: https://console.cloud.google.com/projectselector2/google/maps-apis/credentials
Select the API key that you want to set a restriction on. The API
key property page appears.
Under Key restrictions, set the following restrictions:
Application restrictions:
To accept requests from the list of website that you supply, select HTTP referrers (web sites) from the list of Application restrictions.
Specify one or more referrer web sites. For example, *.google.com accepts all sites ending in google.com, such as https://developers.google.com.
Note: file:// referers need a special representation to be added to the key restriction. The file:// part should be replaced with __file_url__ before being added to the key restriction. For example, file:///path/to/ should be formatted as __file_url__//path/to/*. After enabling file:// referers, it is recommended you regularly check your usage, to make sure it matches your expectations.
Save your changes
You must include an API key with every Maps JavaScript API request. In the following example, replace YOUR_API_KEY with your API key.
<script async defer src="https://maps.googleapis.com/maps/api/js?key=YOUR_API_KEY&callback=initMap"></script>
(source: https://developers.google.com/maps/documentation/javascript/get-api-key#restrict_key)
Need to get Google Map V3 API work in my application with purchased ClientID.
The application is using WebBrowser Control to load html into documentText and the Url is 'about:blank'. The problem is I can't put about:blank into authorized URLs list in google map console. Also I can't host html as it needs a lot of data from database. It must be in application. Can anyone help me how to use google map clientID in application? Thanks a lot.
Error: This page was unable to display a Google Maps element. This URL
is not authorized to use the provided Google Maps Client ID. Error
Code: UnauthorizedURLForClientIdMapError
Got support from google. To use Client ID this way, they actually have to manually add 'about:blank' into white list.
about:blank is not a URL, it is in some sense the absence or a URL. In fact, loading the API from about:blank does not send a referer header, and window.location in about:blank is empty.
What this means is that you cannot restrict your client id to a specific URL whitelist if you intend to use the API in this way. This would, however, mean that your client id could be used from any host.
In the past I have added domains to the Javascript API Domains list for my LinkedIn app and had those domains work with the app without issue. However, I added another domain a couple of days ago and I still get the following error
JavaScript API Domain is restricted to localhost, first.domain.com, second.domain.com,.....
The error message does not contain the new domain I added. This is confusing because I can see the newly added site in the Javascript API domains list in the administration console for the LinkedIn app.
Is there anything I'm missing or has something changed with the API regarding this?
What was happening is that we were adding the new domain to the Authentication list (in the Authentication tab of the settings page) instead of the JavaScript list. Adding the new domain to the Valid SDK Domains list in the Javascript Settings tab worked as expected.