Smuggle path URL attributes
Opened this issue · 0 comments
Dear uMap team,
I just realized that anyone with minimal webpage and uMap know-how can just copy the uMap maps which I created for Makalu Arun Social Trek (MAST) and display them as their own maps. This was a big surprise as I trusted the choices made as part of the map definitions:
Display the embed control: never
Do you want to display the "more" control: OFF
I trusted that by means of these two settings in the map it wouldn't be possible for my customer's competition to just take a backup download of these uMap maps created for the non-profit association, MAST, and upload them to an empty uMap map of theirs, copying everything in less than five minutes and display them on their Web sites as their own work.
But in contrary, they can. And it is quite easy. It just needs these steps:
- They visit the webpage with the uMap map they want to copy
- Press Ctrl-U or right-click > View page source
- Search for "iframe" to find the iframe tag containing the URL for the uMap map created for MAST
- Copy the iframe tag into any production, test, or development webpage of theirs and modify it by adding "embedControl=true&"
- Publish their page
- Visit the just published page with the map
- Within the map click Share and download > full backup >
- At an empty map of their own, press Import data > Choose files > select the just downloaded backup .umap file > Import data >
Et voilà! If they want to camouflage their theft they can make few central changes like renaming the map, altering layer colors and layer titles, changing the default icon shape on map level or the color or dash-array structure of paths.
It was always clear to me that looking up the URL of MAST's uMap maps is very easy. But if one would just copy the URL to their own production website, the caption pane displayed in the beginning would always tell "by Makalu_Arun_Social_Trek" which would probably repel theft.
Why do the URL attributes overrule the definitions made within the map? Please stop the overruling power of the URL attributes.
I also do not understand why the browser pane contains the "download visible data" icon with the geojson, gpx, kmla and csv options. My suggestion would be not to display the "download visible data" icon if "Display the embed control:" is set to "never".
Thanks