Error 403 when using local files - referer missing - can I use User Agent and what should it contain

Mateusz_Konieczny · April 8, 2026, 1:50pm

Unfortunately OSMF is operating on a shoestring budget.

Also, as far as I know this specific problem has no obvious technical solutions, except ones that overall make things worse.

If they missed one, feel free to describe workable one.

I am not your therapist.

For practical solutions I will be hosting them at localhost (serving html at localhost is not so hard though extra step is annoying) or replacing tile servers with understanding that it only pospones problem until others do the same.

I just did it with some of my tools, some now use German map style.

Mateusz_Konieczny · April 8, 2026, 1:56pm

OSM carto devs are unrelated to the issue here, this is more operational and hosting issue, and specific design of map style has a very limited, if any, impact

DaveF · April 8, 2026, 6:51pm

What SLA do you have with them?

You don’t have a SLA with database contributors yet feel entitled to criticise their changesets.

Highlight a reason why those who attempt to write code for OSM are above having their practises questioned

pnorman · April 16, 2026, 10:20am

If you can suggest a way that pages at file:// can supply the information the tile usage policy requires, we would welcome that.

A page or app sending a generic browser user-agent with no referer (or x-requested-with) is violating the tile usage policy. That has been part of the policy since the early 2010s. We will not be removing that requirement.

We are doing a brownout where we send error tiles on a % requests because we know some pages have inadvertently set a referrer-policy that causes them to not follow the policy. There was no other way to contact them because their referrer policy was blocking the information we would need to contact them.

Spiekerooger · April 16, 2026, 3:05pm

@pnorman

If (what I assume) your (=OWG) cache settings in fastly VSL would allow to disregard query params in a tile url, maybe there is a chance to e.g. set a user-agent via query param and have that checked in VSL (and e.g. blocked if that localhost app using file:// is behaving badly)?

~~E.g. tilelayer url: http://tile.openstreetmap.org/{z}/{x}/{y}.png?user-agent=my-fancy-localhost-app-with-a-unique-user-agent or something similar~~

Maybe it would be a better idea if anyone using file:// is just putting in some effort and use e.g. a add header plugin for leaflet tilelayer like this one (untested): GitHub - jaq316/leaflet-header: Custom headers on Leaflet TileLayer · GitHub

Spiekerooger · April 16, 2026, 4:20pm

Ok, just tested this and it is working: Bildschirmaufzeichnung vom 16.04.2026, 18:16:32 - Embed

So please do the following: add the GitHub - jaq316/leaflet-header: Custom headers on Leaflet TileLayer · GitHub plugin to your leaflet map (or another one that will let you add custom headers to a tile request), use a custom X-Requested-With header like this:

<script>
	const map = L.map('map').setView([51.505, -0.09], 13);
	const tiles = L.tileLayer('https://tile.openstreetmap.org/{z}/{x}/{y}.png', {
		maxZoom: 19,
		attribution: '&copy; <a href="http://www.openstreetmap.org/copyright">OpenStreetMap</a>'
	},
	[
	{ header: 'X-Requested-With', value: 'my-fancy-app-called-via-file' }
	],
	null
	).addTo(map);
</script>

(but please come up with a better - and unique - name for your app)

and you will not run into those 403 errors while displaying the leaflet map in a file:// html page.