[Pkg-xfce-devel] Bug#891325: xfce4-weather-plugin: search function violates provider's usage policy

[Sergio Gelato]

Package: xfce4-weather-plugin
Version: 0.8.9-1
Severity: serious

The location search functionality is currently broken. On investigation, I find
the following URL in the source code:
http://nominatim.openstreetmap.org/search?q=%s&format=xml
(where %s is replaced by the sanitized query string).

Using this URL in Firefox returns plausible results. Searching in the plugin
and capturing the wire traffic shows the following:

GET /search?q=%s&format=xml HTTP/1.1
Host: nominatim.openstreetmap.org
Connection: Keep-Alive

(note the lack of a referrer or user agent in the request), to which the
server responds with

<html>
<head>
<title>Access blocked</title>
</head>
<body>
<h1>Access blocked</h1>

<p>You have been blocked because you have violated the
<a href="https://operations.osmfoundation.org/policies/nominatim/">usage policy</a>
of OSM's Nominatim geocoding service. Please be aware that OSM's resources are
limited and shared between many users. The usage policy is there to ensure that
the service remains usable for everybody.</p>

<p>Please review the terms and make sure that your
software adheres to the terms. You should in particular verify that you have set a
+<b>valid</b> referrer or a user agent that identifies your application, and
that you are not overusing the service with massive bulk requests.</p>

<p>If you feel that this block is unjustified or remains after you have adopted
your usage, you may contact the Nominatim system administrator at
nominatim at openstreetmap.org to have this block lifted.</p>
</body>
</head>

I understand that the plugin relies on libsoup for this. The documentation for
soup_session_new_with_options mentions a SOUP_SESSION_USER_AGENT which one may
want to consider using.

Incidentally, libsoup supports TLS. An https:// URL would be an improvement,
except for debugging (so one may want to add a toggle for this, with https
being the default setting).