I'm confused about how the HTTP Referrer settings work on Google Maps API Browser Keys.

I'm building a webpage that programatically requests images from Google Maps (primarily the Google Maps Street View Image API, but also does some queries of MaxZoomService and the Static Maps API from the Javascript API).

If I create a Browser key without an HTTP Referrer, it works great.

If I create a Browser key with an HTTP Referrer that matches the domain the page is loaded from, I get 403 errors. I'm using a referrer like *.mydomain.com/*

What's going on? If i set the HTTP Referrer to match the domain the page is loaded from, wouldn't that be correct usage of the referrer? I can go without, but am afraid that opens me up to others grabbing my key and using it. Am I misunderstanding how the referrer works?

If you use *.example.com/* you would have to come from either www.example.com or another subdomain, but this won't work if you are coming from example.com (notice the period in the first part of the URL)

If you have some sort of redirect to example.com that strips out the first part of the URL, the best regex to use in this case is simply *example.com/* that would cover all subdomains behind example.com, http or https and all contexts after your domain.

Hope it helps.

According to the HTTP referrer placeholder in the console, the *.example.com/* should indeed work.

In practice, though, this indeed doesn't seem to be the case!

I was able to solve the issue by simply setting the referrer to:

example.com

For more information, have a look at Registering authorized URLs. Good luck!