Hello! We have created a component that makes calls into a Maps API in order to display some map area. This API requires a list of URLs which are allowed to access it. We have noticed that outgoing requests from the iframe don't have the referrer attribute set, which means that it won't match our list of allowed-URLs. My understanding is that this is because the iframe's src is not set (instead it is using srcdoc). Is there any way around this?
#How to set referrer on outgoing requests from the iframe?
hearty ermine
mellow hemlock
Hey @hearty ermine!
Would you mind sharing which Maps API you're using? Are you rendering the maps with iframes, and are those iframes using srcdoc instead of src?
I just tested adding a component with a nested iframe in Puck to check whether it appends the referrer header to the request. On my end, it does include the header, and it points to the origin.
You could also try setting the referrerPolicy property in Puck’s iframe using an iframe override. That might resolve the issue, but without knowing more about your maps library, it's hard to say for sure.
Let me know and I’ll look into it for you.
hearty ermine
Sure! We are using Mapbox for our map. There isn't a separate iframe for the map specifically, if that's what you were asking. The iframe that the components live in is the preview-frame iframe, which uses srcdoc. Since this is the map's parent iframe, the lack of src is making the referrer not set.
The referrerPolicy is a good idea! We had actually looked into using the iframe override to try and set this property earlier, but our understanding was that since that is a property on the iframe element itself, this isn't settable from the override function (which just takes in document and children). Our understanding is that the override only controls the contents inside the iframe, not the iframe HTML element.
