We wanted to provide an option for users to specify the domains on which
they can show the website. The rest of the sites shouldn't see the
widget at all.
It's not possible generally through Origin because you can't get Origin
when loading via an iframe. What I've done is add frame ancestors for
the domains specified in allowed domains. I hope this solves most of the
problems.
This is added in a way that it won't affect existing widgets. Only If
they have configured allowed domains, it will start blocking. Otherwise,
it would follow the previous behavior without any changes.
This change supports called wild card domains as well. You can add a
comma‑separated list of domains, either wild card or regular domains.
---
To test, deploy to staging. Call the following API to update the
allowed_domains list.
```
URL: PATCH /api/v1/accounts/<account-id>/inboxes/<inbox-id>
Payload:
{
"channel": { "allowed_domains": "*.chatwoot.dev,chatwoot.com" }
}
```
Fixes https://github.com/chatwoot/chatwoot/issues/1985
At present, the websocket pubsub tokens are present at the contact objects in chatwoot. A better approach would be to have these tokens at the contact_inbox object instead. This helps chatwoot to deliver the websocket events targetted to the specific widget connection, stop contact events from leaking into other chat sessions from the same contact.
Fixes#1682Fixes#1664
Co-authored-by: Pranav Raj S <pranav@chatwoot.com>
Co-authored-by: Muhsin Keloth <muhsinkeramam@gmail.com>
