#18820 closed defect (fixed)
JOSM sends OAuth headers when downloading map
| Reported by: | simon04 | Owned by: | team |
|---|---|---|---|
| Priority: | normal | Milestone: | 20.05 |
| Component: | Core | Version: | |
| Keywords: | template_report oauth api map | Cc: |
Description
What steps will reproduce the problem?
- Start with
--debug - Login via OAuth
- Download map
What is the expected result?
No OAuth headers are sent since the /api/0.6/map is read-only.
What happens instead?
JOSM sends OAuth headers to https://api.openstreetmap.org/api/0.6/map
2020-02-29 21:50:02.387 FINE: REQEST HEADERS: {Accept-Encoding=gzip, deflate, Authorization=OAuth oauth_consumer_key="xxxx", oauth_nonce="xxxx", oauth_signature="xxxx", oauth_signature_method="HMAC-SHA1", oauth_timestamp="xxxx", oauth_token="xxxx", oauth_version="1.0"}
2020-02-29 21:50:02.630 INFO: GET https://api.openstreetmap.org/api/0.6/map?bbox=11.3826703,47.2644566,11.3866688,47.2661062 -> HTTP/1.1 200 (244 ms)
2020-02-29 21:50:02.630 FINE: RESPONSE HEADERS: {Transfer-Encoding=[chunked], Keep-Alive=[timeout=5, max=100], null=[HTTP/1.1 200 OK], Strict-Transport-Security=[max-age=31536000; includeSubDomains; preload, max-age=31536000; includeSubDomains; preload], Cache-Control=[private, max-age=0, must-revalidate], Server=[Apache/2.4.29 (Ubuntu)], Content-Disposition=[attachment; filename="map.osm"], Connection=[Keep-Alive], Content-Encoding=[gzip], Date=[Sat, 29 Feb 2020 20:50:02 GMT], Content-Type=[text/xml; charset=utf-8], Expect-CT=[max-age=0, report-uri="https://openstreetmap.report-uri.com/r/d/ct/reportOnly", max-age=0, report-uri="https://openstreetmap.report-uri.com/r/d/ct/reportOnly"]}
Please provide any additional information below. Attach a screenshot if possible.
Build-Date:2020-02-28 00:24:36 Revision:15950 Is-Local-Build:true Identification: JOSM/1.5 (15950 SVN en_GB) Linux Arch Linux Memory Usage: 695 MB / 3531 MB (489 MB allocated, but free) Java version: 1.8.0_242-b08, Oracle Corporation, OpenJDK 64-Bit Server VM Screen: :0.0 3840x2160 Maximum Screen Size: 3840x2160 VM arguments: [-agentlib:jdwp=transport=dt_socket,address=127.0.0.1:42919,suspend=y,server=n, -Djosm.home=<josm.pref>, -javaagent:/home/simon/bin/idea/plugins/Groovy/lib/agent/gragent.jar, -javaagent:/home/simon/bin/idea/plugins/java/lib/rt/debugger-agent.jar, -agentpath:/tmp/libmemory_agent.so=, -Dfile.encoding=UTF-8] Program arguments: [--set=expert=true, --set=iso.dates=true, --set=debug.edt-checker.enable=true, --debug] Dataset consistency test: No problems found
Attachments (0)
Change History (7)
comment:1 by , 5 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 5 years ago
| Resolution: | invalid |
|---|---|
| Status: | closed → reopened |
This should be optional but I did not find any possibility to disable it.
Note: I also got a time out from overpass these days after running too many queries of small bbox within seconds. So at least for people the same IP overpass might need an adjustment
comment:4 by , 5 years ago
| Milestone: | → 20.05 |
|---|
comment:5 by , 5 years ago
This should be optional but I did not find any possibility to disable it.
What would be a use case why you would disable this?
comment:7 by , 5 years ago
Replying to simon04:
Following the principle of least privilege.
The wiki article as is does not apply here (it does when looking from the API side :-). But I think it's clear what's meant. When not needed to send login data, there should be a chance to prevent it. What's not transmitted also cannot be misused.
This behaviour is intentional, see #13872.