Flowise
Flowise copied to clipboard
FlowiseAI
[FEATURE] Restrict chatbot to only specific domains
Describe the feature you'd like The embed code is visible on the frontend in the browser devtools. This means anyone who wants to embed my chatbot on their website can do so without any restriction.
We should be able to restrict on which domains the chatbot would be functional. Any domains not specified in the chatflow settings should not return any response.
Additional context Add any other context or screenshots about the feature request here.
The PR I opened will disallow all HTTP calls from unauthorized domains via CORS headers which resolves the chatbot scenario.
It also disallows iframe embedding since that was also 100% possible and they could just embed the entire thing if they wanted via CSP headers.
Both are controlled via env variables and default to the equivalent of the old value, '*'.
One difference is the PR is throwing an error instead of no reply at all which is suggested here as the result. Let me see if I can update it.
Added 089928a to the PR to return no result at all only disallow the call to satisfy the requirement in this feature.
As a note, it would be difficult to implement this at the chatflow level it's likely too late. Preflight OPTIONS request will come beforehand even for basic requests including websocket or otherwise where you may not have that information.
The config for allowed domains for CORS and CSP almost always have to be at the env or init level, except in very special cases (tenancy where the app has the tenant at all times, even before authorization, for example).
CSP in specific must be at the init level since they can embed any page they want, not just a chatflow page.