Bugs (avatar upload and CORS)
There are two bugs:
- The allowed origin is not working. I can still embed the chatbot on other domains and chat with it.
- The image upload is not working. I can not upload Bot Avatar via file upload. I have to server my image via jsdelivr and insert the link.
10 Replies
Image upload is working fine on my end! Can you record a video?
Can you provide an example of a site that has a bot which should not be able to start?
OpenAI Assistant Chat
OpenAI Assistant Chat
Build beautiful conversational forms and embed them directly in your applications without a line of code. Triple your response rate and collect answers that has more value compared to a traditional form.
Home | Skillup
AI好课
image upload is working now.
Oh right
That's because you are embedding using an iframe here
So the request origin is typebot.co which is allowed
I wonder if I can prevent iframe embedding as well 🤔
Indeed, if embedded iframe’s origin is the same as the API’s origin, requests won't be blocked due to CORS
So the allowed origins mechanism work only if you try to embed the bot with the embed library (not iframe)
I can add a mechanism to disallow this 🙂
Thanks for reporting this!
Content Security Policy: frame-ancestors example.com;
This cloud solve it.
It will be hard to enforce all this from the server. The best I can do for now is to do client-side check on origins
Will deploy that next monday 👍