Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mapbox tiles don't load (caching) #6897

Closed
tiotdev opened this issue Nov 13, 2019 · 6 comments
Closed

Mapbox tiles don't load (caching) #6897

tiotdev opened this issue Nov 13, 2019 · 6 comments
Labels
closed/fixed-by-component-update webcompat/not-shields-related Sites are breaking because of something other than Shields.

Comments

@tiotdev
Copy link

tiotdev commented Nov 13, 2019

Description

Sites using mapbox don't load tiles on reoccurring visits. This problem occurs only in Brave.

Steps to Reproduce

  1. Go to https://travelfeed.io/map - the tiles load
  2. Revisit a few days later - the tiles are blank, the network request to https://api.mapbox.com/v4/mapbox.mapbox-terrain-v2,mapbox.mapbox-streets-v7.json... returns 403 Forbidden (from ServiceWorker) and 403 Forbidden (from disk cache)

Actual result:

Tiles don't load

Expected result:

Tiles load

Reproduces how often:

Easily reproduced

Brave version (brave://version info)

0.70.123 Chromium: 78.0.3904.97 (Official Build) (64-bit)

Version/Channel Information:

All Brave desktop versions seem to be affected

Other Additional Information:

  • Does the issue resolve itself when disabling Brave Shields? No
  • Is the issue reproducible on the latest version of Chrome? No

Miscellaneous Information:

Related issue mapbox/mapbox-gl-js#8859

Brave mobile (android) is not affected
@tiotdev
Copy link
Author

tiotdev commented Dec 19, 2019

When analysing the requests in Chrome vs Brave, I found that Brave spoofs the referrer for some requests, changing it to "api.mapbox.com". Adding this to the whitelisted domains for my mapbox API key did the trick, but it means that I have to expose my API key to other domains than my own. This weird behaviour of Brave should be changed.

@rebron rebron added the webcompat/not-shields-related Sites are breaking because of something other than Shields. label Jan 10, 2020
@rebron
Copy link
Collaborator

rebron commented Jan 10, 2020

cc: @diracdeltas Can you take a look for referrer spoofing?

@ryanbr
Copy link

ryanbr commented Jan 22, 2020

Just trying to reproduce this, Is there an easier way to see if this still buggy @tiotdev ?

@ryanbr
Copy link

ryanbr commented Mar 7, 2020

I'm not seeing any issues loading this site (and general interactions). Attached is a gif, nothing being hit in shields from what I see (no blocked cookies either)

https://secure.fanboy.co.nz/gif/travelfeed.gif

Can you confirm everything is working okay @tiotdev otherwise it's probably safe to close this.

@tiotdev
Copy link
Author

tiotdev commented Jun 7, 2020

@ryanbr As I already wrote I solved this by adding https://api.mapbox.com/ to the allowed referrers on mapbox. Not a great solution since this opens up my API key for abuse since any site can use my API key now.
I just verified in a new project that the problem still exists.

@ryanbr ryanbr mentioned this issue Jun 8, 2020
Merged
@ryanbr
Copy link

ryanbr commented Jun 8, 2020

@tiotdev Would this patch brave/referrer-whitelist#33 help here. No security issues, just all standard referrers through.

pilgrim-brave added a commit to brave/referrer-whitelist that referenced this issue Jun 8, 2020
@pilgrim-brave
Merge pull request #33 from ryanbr/mapbox
9655785 
Fixes mapbox issues brave/brave-browser#6897 (WIP)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed/fixed-by-component-update webcompat/not-shields-related Sites are breaking because of something other than Shields.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@bbondy @ryanbr @rebron @tiotdev