Title: Bug Report: Client-Side Geocoding API Request Fails
Last modified: January 22, 2026

---

# Bug Report: Client-Side Geocoding API Request Fails

 *  [tylei](https://wordpress.org/support/users/tylei/)
 * (@tylei)
 * [4 months, 2 weeks ago](https://wordpress.org/support/topic/bug-report-client-side-geocoding-api-request-fails/)
 * Hello Support Team,
 * I am experiencing a critical issue with the Google Maps integration in your plugin.
   The plugin appears to be making direct `XMLHttpRequest` calls to the Google Maps**
   Geocoding API** (REST endpoint) from the client’s browser, rather than using 
   the **Google Maps JavaScript API** Geocoding Service.
 * **The Problem:**
    1. My Google Maps API Key has **HTTP Referrer (Website) restrictions** set for 
       security (e.g., `https://example.com/*`), which is standard best practice.
    2. The plugin attempts to call `https://maps.googleapis.com/maps/api/geocode/json?
       address=...` directly from the user’s browser.
    3. Google’s REST API endpoints **do not support** HTTP Referrer restrictions. They
       require IP restrictions (which are impossible for client-side code) or no restrictions.
    4. This results in the error: `API keys with referer restrictions cannot be used
       with this API` and the functionality breaks (popup doesn’t open).
 * **Why this is a Security Risk:**
   To make your plugin work, I am forced to **remove
   all website restrictions** from my API key, leaving it vulnerable to theft. I
   have to rely on Quota limits to protect my billing, which is not an ideal security
   posture.
 * **Steps to Reproduce:**
    1. Create a Google Maps API Key and restrict it to a specific domain (Referrer).
    2. Use the plugin to search for a pickup point or rely on the auto-geocoding feature.
    3. Observe the console error: `REQUEST_DENIED: API keys with referer restrictions
       cannot be used with this API.`
 * **Suggested Fix for Developers:**
   Please update the code to use the **Google 
   Maps JavaScript API Geocoder class** (`google.maps.Geocoder`) instead of fetching
   the REST endpoint directly. The JavaScript API **does** support Referrer restrictions,
   allowing us to keep our keys secure.

You must be [logged in](https://login.wordpress.org/?redirect_to=https%3A%2F%2Fwordpress.org%2Fsupport%2Ftopic%2Fbug-report-client-side-geocoding-api-request-fails%2F%3Foutput_format%3Dmd&locale=en_US)
to reply to this topic.

 * ![](https://ps.w.org/woo-shipping-dpd-baltic/assets/icon-256x256.png?rev=2081212)
 * [DPD Baltic Shipping](https://wordpress.org/plugins/woo-shipping-dpd-baltic/)
 * [Frequently Asked Questions](https://wordpress.org/plugins/woo-shipping-dpd-baltic/#faq)
 * [Support Threads](https://wordpress.org/support/plugin/woo-shipping-dpd-baltic/)
 * [Active Topics](https://wordpress.org/support/plugin/woo-shipping-dpd-baltic/active/)
 * [Unresolved Topics](https://wordpress.org/support/plugin/woo-shipping-dpd-baltic/unresolved/)
 * [Reviews](https://wordpress.org/support/plugin/woo-shipping-dpd-baltic/reviews/)

 * 0 replies
 * 1 participant
 * Last reply from: [tylei](https://wordpress.org/support/users/tylei/)
 * Last activity: [4 months, 2 weeks ago](https://wordpress.org/support/topic/bug-report-client-side-geocoding-api-request-fails/)
 * Status: not resolved