Use proper CORS headers on SocketIO server - Githubissues

Chainlit / chainlit

Build Conversational AI in minutes ⚡️

https://docs.chainlit.io

Apache License 2.0

7.28k stars 958 forks source link

Use proper CORS headers on SocketIO server #1540

Open dokterbob opened 3 days ago

dokterbob commented 3 days ago

The SocketIO server is currently getting [] as allowed CORS headers:

https://github.com/Chainlit/chainlit/blob/fd882b82777ae9dd87d5a93c1d29af0064e1dcd7/backend/chainlit/server.py#L189

It should probably be set to the value of the allow_origins setting: https://github.com/Chainlit/chainlit/blob/fd882b82777ae9dd87d5a93c1d29af0064e1dcd7/backend/chainlit/config.py#L308

Which are also referred to here: https://github.com/Chainlit/chainlit/blob/fd882b82777ae9dd87d5a93c1d29af0064e1dcd7/backend/chainlit/server.py#L200

dokterbob commented 3 days ago

In addition, we should really not be using * as default value for CORS headers, but rather default to the server's current host/port, localhost and require users to configure this in deployment, due to CSRF vectors.

Ref: #1512