Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: allowed origins should not be * by default #1359

Closed
dokterbob opened this issue Sep 19, 2024 · 4 comments · Fixed by #1575
Closed

Security: allowed origins should not be * by default #1359

dokterbob opened this issue Sep 19, 2024 · 4 comments · Fixed by #1575
Labels
evaluate-with-priority What's needed to address this one? security

Comments

@dokterbob
Copy link
Collaborator

CORS headers should be restricted to the current domain at least, by default.
@dokterbob dokterbob added needs-triage evaluate-with-priority What's needed to address this one? security labels Sep 19, 2024
@dokterbob dokterbob mentioned this issue Sep 19, 2024
Closed
@dokterbob
Copy link
Collaborator Author

@dosu Where do we have to look in the settings/code to set this to a sensible/safe default value?

@dosubot DosuBot
Copy link

dosubot bot commented Sep 23, 2024

To set the allowed origins for CORS headers to a sensible/safe default value, you need to look at the allow_origins setting in the config.toml file.

# Authorized origins
allow_origins = ["*"]

You should replace ["*"] with a list of specific origins that you want to allow. For example:

# Authorized origins
allow_origins = ["https://example.com", "https://anotherdomain.com"]

This setting can be found in multiple config.toml files within the repository, such as:

  • cypress/e2e/copilot/.chainlit/config.toml [1]
  • cypress/e2e/tasklist/.chainlit/config.toml [2]
  • cypress/e2e/elements/.chainlit/config.toml [3]
  • cypress/e2e/custom_build/.chainlit/config.toml [4]
  • copilot/.chainlit/config.toml in the Chainlit's cookbook repo [5].

Additionally, the allow_origins setting can be overridden by the CHAINLIT_ALLOW_ORIGINS environment variable [6].

To continue talking to Dosu, mention @dosu.

@dokterbob
Copy link
Collaborator Author

@dosu Maybe we could make the default in the settings file 127.0.0.1 and localhost, then document users to change it for production to whatever website/domain they use?

@dosubot DosuBot
Copy link

dosubot bot commented Sep 23, 2024

Yes, you can set the default allowed origins in the settings file to 127.0.0.1 and localhost, and then document for users to change it for production to their specific domains. You can modify the config.toml file as follows:

[project]
# Authorized origins
allow_origins = ["127.0.0.1", "localhost"]

This change can be made in the config.toml files located in various directories, such as:

  • cypress/e2e/copilot/.chainlit/config.toml
  • cypress/e2e/tasklist/.chainlit/config.toml
  • cypress/e2e/elements/.chainlit/config.toml
  • cypress/e2e/custom_build/.chainlit/config.toml
  • copilot/.chainlit/config.toml in the Chainlit's cookbook repo [1][2].

Additionally, you should document this change and instruct users to update the allow_origins setting for their production environments to their specific domains.

To continue talking to Dosu, mention @dosu.

@dokterbob dokterbob mentioned this issue Dec 10, 2024
Merged
dokterbob pushed a commit to SynergyOS-ai/chainlit that referenced this issue Jan 14, 2025
@willydouhard @dokterbob
feat: enhance socket.io configuration and CORS handling (Chainlit#1575)
7bc71d6 
This improves Socket.IO configuration and CORS handling for cross-origin use cases,
particularly focusing on scenarios where Chainlit is embedded in other websites (copilot, closes Chainlit#1279) or deployed behind load balancers:

- Make Socket.IO client transports configurable via `project.transports` setting
- Move connection parameters from headers to Socket.IO auth object for better
  websocket compatibility
- Update CORS handling to properly support authenticated cross-origin requests. Closes Chainlit#1359.
- Remove unnecessary task start/end events from window_message handler

BREAKING CHANGE: For cross-origin deployments, wildcard "*" is no longer supported
in allow_origins when using authenticated connections. Specific origins must be
listed in the project config.

Possibly resolves Chainlit#719, Chainlit#1339, Chainlit#1369, Chainlit#1407, Chainlit#1492, Chainlit#1507.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
evaluate-with-priority What's needed to address this one? security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: pass headers when connecting sockets Chainlit/chainlit
1 participant
@dokterbob