Allow Cross-site Source Data Request with Credentials

[jasonpepper]

Motivation

What use cases are we trying to accommodate?

Source data may contain private data that requires authentication. Furthermore, the data may be hosted at a different http origin than the map application. Currently, cross-site MapBox ajax requests will not pass authentication tokens.

Design Alternatives

Add a boolean option to the various types of sources called "withCredentials", where if it is true the XMLHttpRequest will have the withCredentials option set to true. For example:

"mapbox-streets": {
"type": "vector",
"url": "mapbox://mapbox.mapbox-streets-v6",
"withCredentials": true
}

Concepts

How will we teach this design?

In the style spec, add a description of the new option.

Implementation

How you would implement the design in Javascript?

var xhr = new window.XMLHttpRequest();
xhr.open('GET', url, true);
xhr.responseType = 'arraybuffer';
xhr.withCredentials = withCredentials;

[lucaswoj]

For the same reasons as #2918, I'm not sure this feature fits the TileJSON ethos. This may need to depend on #3326.

[CrokinoleMaster]

@lucaswoj those two issues look closed. Any plans on allowing credentials?

[mollymerp]

this feature is not on our current roadmap @huaruiwu. if you'd like to bump it up in the priority rankings, we gauge the popularity of feature requests by reactions on the issue's original post 👍

[CrokinoleMaster]

Without this feature, it isn't possible to have secure map data. Signing URLs have too much of an overhead. I think @x9xjdzz9 's proposed design makes sense.

[rayterrill]

We're looking to swing json and image hosting over to Cloudfront using Signed Cookies, and after struggling to track down what was happening, it appears we're running into this exact same issue. :(

[asheemmamoowala]

Closed in #5021