datasette-referrer-policy 0.1

2026-05-05 · Source: Simon Willison's Weblog · Field: Technology & Digital — Software Development & Engineering, Cloud Computing & IT Infrastructure, Cybersecurity & Data Privacy · Depth: Intermediate, quick

Summary

Datasette-referrer-policy 0.1 was released on May 5th, 2026, to address issues with OpenStreetMap tiles not displaying on the Datasette global-power-plants demo site. The problem stemmed from two bugs: first, a CAPTCHA previously added to the site was incorrectly triggering for `.json` fetch requests from the map plugin, which users could not solve as these were not HTML requests. Second, OpenStreetMap blocks tile requests from sites employing a `Referrer-Policy: no-referrer` header, which Datasette uses by default. The new plugin allows Datasette users to modify this default referrer policy, ensuring proper display of OpenStreetMap tiles.

Key takeaway

For DevOps Engineers managing Datasette deployments that integrate external mapping services like OpenStreetMap, you should evaluate your site's `Referrer-Policy` header. Implement datasette-referrer-policy 0.1 to explicitly set a less restrictive policy, preventing issues where external content providers block requests due to a `no-referrer` default. This ensures proper rendering of map tiles and other third-party assets.

Key insights

A new Datasette plugin enables custom Referrer-Policy headers to resolve external content display issues.

Principles

• Default security policies can impact third-party content integration.
• Non-HTML requests require careful CAPTCHA implementation.

Method

A new Datasette plugin was developed using Codex + GPT-5.5 to allow users to set the `Referrer-Policy` header to a value other than the default `no-referrer`.

In practice

• Install datasette-referrer-policy to configure referrer headers.
• Review CAPTCHA logic for non-browser-initiated requests.

Topics

• datasette-referrer-policy
• Referrer-Policy Header
• Datasette Platform
• OpenStreetMap Integration
• CAPTCHA Bypass

Code references

• datasette/datasette-referrer-policy
• simonw/datasette-turnstile
• simonw/datasette.io

Best for: Software Engineer, DevOps Engineer

Related on AIssential

• datasette-tailscale 0.1a0 — An experimental Datasette plugin integrates with Tailscale, enabling secure, private network access to Datasette instances via a sidecar.
• Welcome to the Datasette blog — Datasette launched a new blog, built with OpenAI Codex, to share project announcements.
• North Star Data Center Policy Toolkit: State and Local Policy Interventions to Stop Rampant AI Data Center Expansion — The toolkit provides policy options to mitigate the negative community impacts of hyperscale data center development.
• SAFEINHOME EXPANDS ACCESS WITH CLOSED CAPTIONING IN REMOTE SUPPORTS — Closed captioning enhances accessibility and clarity in video-based remote support for diverse communication needs.
• Copirate 365 at DEF CON: Plundering in the Depths of Microsoft Copilot (CVE-2026-24299) — AI assistants with private data, untrusted content, and external communication form a "lethal trifecta" for data exfiltration.
• How the Datadog MCP server can help improve IT operational insight and observability — The Datadog MCP Server translates natural language into actionable observability insights across diverse IT data.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Simon Willison's Weblog.