Referrer header required for django.contrib.gis.forms.widgets.OSMWidget

[diestl]

The OSMWidget does not set the referrer header (or does not configure open layers to set the referrer header) when making tile requests to the OSM tile server. As per the OSM tile usage policy (​https://operations.osmfoundation.org/policies/tiles/), these requests are being blocked.

The OSMWidget is the default widget used in the django admin interface when using the django.contrib.gis.admin.options.GISModelAdmin admin base class for geometry fields such as django.contrib.gis.db.models.PolygonField.

To reproduce this, you need a very simple model:

from django.contrib.gis.db import models


class TmpModel(models.Model):
    geometry = models.PolygonField(geography=True)

and admin:

from .models import TmpModel
from django.contrib.gis import admin


@admin.register(TmpModel)
class DatasetAdmin(admin.GISModelAdmin):
    pass

[diestl]

Screenshot illustrating the issue in the admin interface

[steph]

The referrer policy is fixed in OpenLayers 10.8 (see ​https://github.com/openlayers/openlayers/issues/17088). Within Django, the referenced js/css for OpenLayers needs to be updated. It is currently 7.2.2 (see ​https://github.com/django/django/blob/main/django/contrib/gis/forms/widgets.py#L78-L88).

I tested a update quickly and it seems to work but I don't have the ability to do a in-depth test of all related features to ensure the update has no side-effects.

[diestl]

Replying to steph:

I tested a update quickly and it seems to work

Thank you for this, I wasn't sure if just upgrading was going to work or whether some additional configuration was going to be needed. I struggled following along with how even OSM end's up being used by the OSMWidget.

but I don't have the ability to do a in-depth test of all related features to ensure the update has no side-effects.

Is it a matter of testing that all the widget capabilities like drawing, deleting, editing and so on of geometries still works? I can't imagine that this change would have an impact beyond that. If so, I think I'm well placed to do that test, though you will just have to take my word for it.

[diestl]

I can confirm at least that creating, editing and deleting features (Polygon and MultiPolygon in my case) works when using the OSMWidget, if openlayers is updated to 10.8 like so: ​https://github.com/django/django/compare/main...EnvSys:django:upgrade-openlayers

There is also a reference to OpenLayers 7.2.2 in ​https://github.com/django/django/blob/e3038897992d1c47f70ffb84ec1109b8d6a68bb9/js_tests/tests.html#L159-L159, which presumably should also be updated... I am not in a good position to test that.

[David Smith]

I was also able to reproduce the issue. I also did a small test to upgrade to the latest version of OpenLayers and saw that the "access blocked" error no longer appear.

[Vidhi Singh]

I would like to work on this ticket.

[Vidhi Singh]

Hi, I started working on this issue and set up a local environment to reproduce it. However, I’m currently facing some setup and environment challenges (especially around GIS dependencies and test configuration), and I won’t be able to continue working on this ticket right now.

I’m stepping back so someone else can take it forward.

Thank you!

[Devarakondarishitha]

Hi, I would like to work on this issue. I will try updating OpenLayers version and test it.

Thanks!