Missing CORS in renderd.conf and 403 HTTP errors returned by mod_tile

[cquest]

The current code taking care of CORS return 403 errors when the Origin header in the client request does not match the CORS=xxx parameter in renderd.conf or when this parameter is missing.

It does not seem logical as CORS is to be handled by the client, not by the server.

It could be seen as a way to limit access to the tileserver but in fact, this test is done by mod_tile AFTER calling renderd and generating the metatile.

I don't really understand the logic, that why I have no PR to offer so far.

[lonvia]

Is this possibly related to #479? Debian 13 unfortunately ships with version 0.8 with doesn't have the bug fix yet. Workaround if you don't need CORS restrictions is to unset Origin in Apache.

[hummeltech]

Yes, that does indeed sound a lot like the same issue addressed in #479, if you could provide which mod_tile version you are using and your Operating System details, that could be helpful. The latest released version, v0.8.1, does have that fix applied and has been picked up for packaging in Debian, but has not yet made it into stable:
https://salsa.debian.org/debian-gis-team/libapache2-mod-tile/-/commits/master?ref_type=HEADS

[cquest]

I'm running this version:

libapache2-mod-tile/stable,now 0.8.0-1 amd64 [installed]
  Apache module to deliver tiles created by renderd

renderd/stable,now 0.8.0-1 amd64 [installed]
  Daemon that renders map tiles using mapnik

Good to know it has been fixed, my workaround was to simply add CORS=* in renderd.conf