Typebot
Log in

Share feedback, ideas and get community help

Updated 7 months ago

Bugs (avatar upload and CORS)

TTao Wang
·
There are two bugs:
  • The allowed origin is not working. I can still embed the chatbot on other domains and chat with it.
  • The image upload is not working. I can not upload Bot Avatar via file upload. I have to server my image via jsdelivr and insert the link.
B
T
20 comments
BBaptiste
Image upload is working fine on my end! Can you record a video?
BBaptiste
Can you provide an example of a site that has a bot which should not be able to start?
TTao Wang
https://typebot.co/open-ai-assistant-chat-wifj1zz
TTao Wang
Attachment
image.png
TTao Wang
Attachment
image.png
TTao Wang
it shouldn't appear on w3school because i specified https://skillup.day as allowed domain
TTao Wang
Attachment
image.png
TTao Wang
image upload is working now.
BBaptiste
Oh right
BBaptiste
That's because you are embedding using an iframe here
BBaptiste
So the request origin is typebot.co which is allowed
BBaptiste
I wonder if I can prevent iframe embedding as well 🤔
BBaptiste
Indeed, if embedded iframe’s origin is the same as the API’s origin, requests won't be blocked due to CORS
BBaptiste
So the allowed origins mechanism work only if you try to embed the bot with the embed library (not iframe)
BBaptiste
I can add a mechanism to disallow this 🙂
BBaptiste
Thanks for reporting this!
TTao Wang
Content Security Policy: frame-ancestors example.com;

This cloud solve it.
BBaptiste
It will be hard to enforce all this from the server. The best I can do for now is to do client-side check on origins
BBaptiste
https://github.com/baptisteArno/typebot.io/issues/1518
BBaptiste
Will deploy that next monday 👍
Add a reply
Sign up and join the conversation on Discord