Google API Keys Weren't Secrets. But then Gemini Changed the Rules

30 points by krtab

krtab

The writing style feels unfortunately llm-y to me, but the content is interesting so I thought it was worth posting.

chris-evelyn

I even unsuggested the vibecoding tag, since this can have implications that go beyond strict vibecoding.

And it reads more like corporate blandness to me than llm-y — I think there may have been lawyers involved.
- justJanne
  
  It's certainly written by AI, the typical patterns match exactly. They likely used AI to clean up their writing.
  - technomancy
    
    Agreed but I think "clean up" needs scare quotes there.
  - srtcd424
    
    It didn't annoy me enough to make me think to ask the question, and I'm usually fairly easily annoyed :) It seemed to convey the points reasonably clearly. As you say, maybe human authored then tweaked by AI afterwards?
- timthelion
  
  I for one never understood the concept of anon secret API key.
  - mcherm
    
    Well, I'll give you one example from a site I manage. It's 2016. I want to host a static website that embeds Google Maps. The user's browser needs to pass the API key to maps, but of course anything that is exposed to the user's browser can't be considered a secret.
    
    fly
    
    But why does the user’s browser need to pass an API key? Didn’t you just steal that key from your competitor and their static site?
    
    Gaelan
    
    Because Google checks the Referer header on the requests from the user's browser against a list configured by the owner of the API key. Obviously an attacker could send requests with a forged Referer header, but this doesn't actually accomplish anything useful beyond racking up the legitimate key holder's bill, as the whole point of the API key is showing maps to a user, who (almost certainly) is using a normal browser which sends an honest Referer header.
    
    technomancy
    
    I thought browsers couldn't be relied on to send Referer headers any more these days.
    
    0x2ba22e11
    
    Sometimes. Please be wary of errors in the following because my memory is fuzzy:
    
    When a user clicks on a link from one page to another, Referer is sent only sometimes. The originating page can explicitly opt into asking the browser to send it, or ask the browser to not send it. Offhand I think the default policy is to send it only for clicks to other pages on the same origin but don't quote me on that, I'd have to check.
    
    When making CORS requests with fetch or XHR I think you send a Referer header but also I am certain that you always send an Origin header.
    
    Cross origin embeds, I'm not sure what the policy is these days.
    
    Gaelan
    
    Not for links between pages, but I’m pretty sure they still send them for XHR/Fetch requests by a page.