fix(maps): allow OSM tile Referer and use HTTPS tile URLs#164
Merged
Conversation
OpenStreetMap blocks tile requests without a Referer header, but Horde sent Referrer-Policy: same-origin, which suppresses cross-origin Referer on map tile loads. Use strict-origin-when-cross-origin instead. Also update bundled OSM tile URLs to https://tile.openstreetmap.org.
Contributor
Author
|
@ralflang please review, esp. regarding security (policy change) |
ralflang
approved these changes
Jun 17, 2026
| attribution: "Data CC-By-SA by <a href='http://openstreetmap.org/'>OpenStreetMap</a>", | ||
| sphericalMercator: true, | ||
| url: 'http://tile.openstreetmap.org/${z}/${x}/${y}.png', | ||
| url: 'https://tile.openstreetmap.org/${z}/${x}/${y}.png', |
Member
There was a problem hiding this comment.
Suggested change
| url: 'https://tile.openstreetmap.org/${z}/${x}/${y}.png', | |
| TODO: Do not hardcode the URI (or allow an override variable with fallback to hardcode) | |
| url: 'https://tile.openstreetmap.org/${z}/${x}/${y}.png', |
Co-authored-by: Ralf Lang <ralf.lang@ralf-lang.de>
Co-authored-by: Ralf Lang <ralf.lang@ralf-lang.de>
Co-authored-by: Ralf Lang <ralf.lang@ralf-lang.de>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix(maps): allow OSM tile Referer and use HTTPS tile URLs
Summary
Referrer-Policyheader so browsers send a Referer on cross-origin OpenStreetMap tile requests, which OSM requires since 2024.http://tohttps://tile.openstreetmap.org/.Problem
When inline maps use the OSM provider, tile requests to
tile.openstreetmap.orgfail with HTTP 403 and a message like “Referer is required”. Horde setsReferrer-Policy: same-originon HTML responses, which suppresses the Referer header on cross-origin subresource requests (including map tile<img>loads).The map JavaScript also still referenced
http://tile.openstreetmap.org/..., which is outdated and problematic on HTTPS sites.Solution
Horde_PageOutput::header()to sendReferrer-Policy: strict-origin-when-cross-origin, which is compatible with OSM’s tile usage policy and still avoids leaking full URLs on downgrade.osm.js,owm.js,ocm.js, and the defaultOpenLayers.Layer.OSMURL inOpenLayers.js/OpenLayers-debug.js.Changed files
lib/Horde/PageOutput.phpReferrer-Policy: strict-origin-when-cross-originjs/map/osm.jsjs/map/owm.jsjs/map/ocm.jsjs/map/OpenLayers.jsjs/map/OpenLayers-debug.jsTest plan
Osmprovider (Admin → General → Maps).https://tile.openstreetmap.org/....Referrer-Policy: strict-origin-when-cross-origin.Notes
referrerpolicysupport in OpenLayers; fixing the page-level policy is sufficient for current tile loading.Suggested commit message