Comments (5)
patrickarlt
commented on June 1, 2024
1
Closing this. See my comment in #1378 (comment).
I will add here that there are reasons we do support this in ArcGIS REST JS but not in Esri Leaflet:
- ArcGIS REST JS can also be used outside a browser context which can hide the token in
GETrequests without the complexities of browser preflighting and CORS restrictions. - ArcGIS REST JS generally isn't used to make the kinds of high volume high performance queries that need specific caching requirements like loading feature layers in viral applications that must use
GETfor caching reasons and can't have a performance hit for preflighting requests.
from esri-leaflet.
gavinr-maps
commented on June 1, 2024
Hi @acass91, thank you for logging this issue.
Could you please give us some more information about your use case - why having this in the URL param is an issue for you? Note that HTTPS/SSL does secure GET URL params, but we understand that there are other reasons and situations that may be an issue for this, so we wanted to hear more about your particular case.
That all being said, I discussed this with @patrickarlt and we think the lower-level request module could be updated to support HTTP Header Auth, which should resolve your issue, but it might be a big change so may not have time right now. We would probably accept a PR to make HTTP Header Auth an option though if you'd like to take a crack at it!
Thanks!
from esri-leaflet.
acass91
commented on June 1, 2024
Hi @gr-maps, my organization reported this to my team as a vulnerability from OWASP.
Truth be told, this isn't really an issue for me, but I am trying to justify not updating our application.
from esri-leaflet.
gavinr-maps
commented on June 1, 2024
Ok, thank you for that context. In that case I think this is still applicable:
That all being said, I discussed this with @patrickarlt and we think the lower-level request module could be updated to support HTTP Header Auth, which should resolve your issue, but it might be a big change so may not have time right now. We would probably accept a PR to make HTTP Header Auth an option though if you'd like to take a crack at it!
Thanks!
from esri-leaflet.
BrunoCaimar
commented on June 1, 2024
I believe that this PR #1378 can fix this issue. I've tested using it with a FeatureLayer and a DynamicLayer.
This PR solution is similar to the approach that ArcGIS REST JS is using.
from esri-leaflet.
Related Issues (20)
- FeatureLayer _redraw method throws error if defined for a multilinestring HOT 6
- Support for Leaflet 1.9.0 HOT 11
- Leaflet 1.9.3 error - can't access property "properties", layer.feature is undefined HOT 10
- Popups broken with esri-leaflet 3.0.10 and leaflet 1.7.1 HOT 1
- DarkGray and Gray tilemap do not have dynamic attributions HOT 3
- Points on the map are not being shown when zoomed in HOT 6
- Documentation for tiledmapLayer is not strictly accurate. Can use alternatives to epsg:3857 HOT 8
- Esri attribution removes custom Leaflet prefix
- Dynamic Map Layer layerDefs force POST HOT 4
- Husky update HOT 1
- From ArcGIS Enterprise: Zooming in at maximum extent the layer stops loading HOT 1
- FeatureLayer: initial tiles are requested concurrently with metadata HOT 2
- 🎃 𝗛𝗮𝗰𝗸𝘁𝗼𝗯𝗲𝗿𝗳𝗲𝘀𝘁 𝗗𝗲𝘁𝗮𝗶𝗹𝘀 𝗳𝗼𝗿 𝗣𝗮𝗿𝘁𝗶𝗰𝗶𝗽𝗮𝗻𝘁𝘀 👨💻 HOT 1
- Request GeoJSON by deault for feature services
- When the lod value for some zoom level is 0 tiles is not display properly HOT 3
- MapServer with custom LODs. initial tile set zoom level is wrong
- Error when using ESM CDNs - `The requested module does not provide an export named 'toLatLngBounds'`
- Examples in Documentation return 401 error HOT 4
- esri-leaflet api required and freely allowed (terms of use)? HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from esri-leaflet.