Open dokterbob opened 1 week ago
@dosu Where do we have to look in the settings/code to set this to a sensible/safe default value?
To set the allowed origins for CORS headers to a sensible/safe default value, you need to look at the allow_origins
setting in the config.toml
file.
# Authorized origins
allow_origins = ["*"]
You should replace ["*"]
with a list of specific origins that you want to allow. For example:
# Authorized origins
allow_origins = ["https://example.com", "https://anotherdomain.com"]
This setting can be found in multiple config.toml
files within the repository, such as:
cypress/e2e/copilot/.chainlit/config.toml
[1]cypress/e2e/tasklist/.chainlit/config.toml
[2]cypress/e2e/elements/.chainlit/config.toml
[3]cypress/e2e/custom_build/.chainlit/config.toml
[4]copilot/.chainlit/config.toml
in the Chainlit's cookbook repo [5].Additionally, the allow_origins
setting can be overridden by the CHAINLIT_ALLOW_ORIGINS
environment variable [6].
To continue talking to Dosu, mention @dosu.
@dosu Maybe we could make the default in the settings file 127.0.0.1 and localhost, then document users to change it for production to whatever website/domain they use?
Yes, you can set the default allowed origins in the settings file to 127.0.0.1
and localhost
, and then document for users to change it for production to their specific domains. You can modify the config.toml
file as follows:
[project]
# Authorized origins
allow_origins = ["127.0.0.1", "localhost"]
This change can be made in the config.toml
files located in various directories, such as:
cypress/e2e/copilot/.chainlit/config.toml
cypress/e2e/tasklist/.chainlit/config.toml
cypress/e2e/elements/.chainlit/config.toml
cypress/e2e/custom_build/.chainlit/config.toml
copilot/.chainlit/config.toml
in the Chainlit's cookbook repo [1][2].Additionally, you should document this change and instruct users to update the allow_origins
setting for their production environments to their specific domains.
To continue talking to Dosu, mention @dosu.
CORS headers should be restricted to the current domain at least, by default.