
Chrome's geolocation fails daily due to API limit - zspitzer
https://bugs.chromium.org/p/chromium/issues/detail?id=753242
======
Flammy
Heh, so Google's own projects run into Google rate limits too.

~~~
Scaevolus
Rate limits are how services prevent even legitimate clients from accidentally
destroying them!

~~~
blaisio
It's pretty weird in this case.

Google serves web pages and adds rate limits to keep people from taking their
servers down (or, at least, from making them use way more servers than normal,
which would make providing the services too expensive, which would force them
to take the servers down). If their servers go down, then users can no longer
use their web pages properly. But, here we see the rate limiting is itself
keeping users from using web pages properly. So the rate limiting is
effectively disabling services even though the whole point of the rate limit
is to protect them!

I wonder if there are other feedback loops in Chrome where, in order to be
able to keep serving web pages, Google could sometimes accidentally prevent
Chrome users from viewing web pages?

~~~
londons_explore
The API key built into Chrome isn't exactly super secure - anyone can reverse
engineer the binary to extract it.

One might imagine that an evil user has done exactly that, and started sending
billions of requests to the API, exhausting the quota.

It is better to have the quota exhaust, effectively blocking all Chrome users,
than have the service fail due to overload which would block _all_ users (for
example, maps.google.com, and iOS and Android)

The long term fix is probably to issue temporary per-user keys to each signed
in user, so that anyone who misuses the key will only block themselves. Since
Chrome allows non-signed in users, there will be considerable complexity and
difficulty with that approach.

------
zspitzer
I've been told this has been addressed.

If you want to test POSITION_UNAVAILABLE, IE 11 always fails after the first
request.

For anyone interested, the location emulation in Chrome Dev Tools is also
buggy, Chrome also fires two callbacks on failure, TIMEOUT and
POSITION_UNAVAILABLE
[https://bugs.chromium.org/p/chromium/issues/detail?id=542923](https://bugs.chromium.org/p/chromium/issues/detail?id=542923)

~~~
ncr100
Comment 9 by scheib@chromium.org, Today (33 minutes ago) Status: Started Thank
you for reporting. We have adjusted API limits that should ease this
immediately. Our monitoring is clearly not sufficient and we will follow up
with process improvements to avoid this recurring.

------
gondo
does this mean that technically (not legally) one can extract API credentials
form chromium/chrome and use them in other project?

~~~
KekDemaga
You can do that for practically any API you can imagine if you are creative
enough.

~~~
gondo
i don't understand what do you mean. how can i do that? f.e. how would i do
that with AWS API?

the thing with chromium is: it is open source (you can find the credentials),
it is meant to be used on any computer via any IP (you can't whitelist API
requests)

~~~
ktta
>the thing with chromium is: it is open source (you can find the credentials)

No, you have to get your own API keys via Google Cloud API Manager _before_
building chromium. That's the reason why Chromium on Windows doesn't let you
log in.

I presume Chromium on linux distros will use an API key of the package
maintainer.

Also, in most closed source binaries (which chrome _is_ a part because it has
binary blobs not present in Chromium - see Google Cast, etc) you will have to
sign a EULA where you agree to no disassemble and use that API key, so doing
so is illegal too.

------
spaniard_dev
I'm almost sure this also happens with the translation API. Some days when I
try to translate websites I get 403 errors and I have to wait for some time
until I can use the feature again.

------
xpaulbettsx
[https://www.chromium.org/developers/how-tos/api-
keys](https://www.chromium.org/developers/how-tos/api-keys)

~~~
mastax
Interesting... if you make a chromium derivative, you need to pay for user's
google API access. Or replace them with something else.

~~~
cpeterso
You can use Mozilla's free geolocation service based on crowd-sourced location
data for hundreds of millions of Wi-Fi access points, cell towers, and
Bluetooth beacons. The website has a zoomable world map of network location
coverage:

[https://location.services.mozilla.com/map](https://location.services.mozilla.com/map)

