CodeCow/chatwoot
1
0
Fork 0
mirror of https://github.com/chatwoot/chatwoot.git synced 2026-06-13 21:01:16 +08:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity
codex/locale-loader-audit
chatwoot/app/controllers
History
Muhsin Keloth a4c3d3d8c0
feat(widget): Allow widget loading in mobile app WebViews when domain restrictions are set (#13763) 
When `allowed_domains` is configured on a web widget inbox, the server
responds with Content-Security-Policy: frame-ancestors <domains>, which
blocks the widget iframe in mobile app WebViews. This happens because
WebViews load content from file:// or null origins, which cannot match
any domain in the frame-ancestors directive.

This adds a per-inbox toggle — "Enable widget in mobile apps" — that
skips the frame-ancestors header when the request has no valid Origin
(i.e., it comes from a mobile WebView). Web browsers with a real origin
still get domain restrictions enforced as usual.

<img width="2330" height="1490" alt="CleanShot 2026-03-11 at 10 13
01@2x"
src="https://github.com/user-attachments/assets/d9326fac-020d-4ce7-9ced-0c185468c8fc"
/>


Fixes
https://linear.app/chatwoot/issue/CW-6560/widget-is-not-loading-from-iosandroid-widgets

How to test

1. Go to Settings → Inboxes → (Web Widget) → Configuration
2. Set allowed_domains to a specific domain (e.g., *.example.com)
3. Try loading the widget in a mobile app WebView — it should be blocked
4. Enable "Enable widget in mobile apps" checkbox
5. Reload the widget in the WebView — it should now load successfully
6. Verify the widget on a website not in the allowed domains list is
still blocked

---------

Co-authored-by: iamsivin <iamsivin@gmail.com>
2026-03-17 14:29:41 +04:00
..
api feat(linear): Support refresh tokens and migrate legacy OAuth tokens (#13721) 2026-03-17 13:09:03 +04:00
concerns feat: allow agent bots to toggle typing status (#13705) 2026-03-05 08:13:52 -08:00
devise_overrides fix(signup): normalize account signup config checks (#13745) 2026-03-10 16:35:09 +05:30
google feat: use of imap login as default if present (#10249) 2024-10-09 15:01:11 +05:30
instagram feat: Instagram reauthorization (#11221) 2025-04-03 14:30:48 +05:30
installation feat: Unify user and super admin credentials (#3830) 2022-01-25 16:58:49 -08:00
linear feat(linear): Support refresh tokens and migrate legacy OAuth tokens (#13721) 2026-03-17 13:09:03 +04:00
microsoft feat: add Google login flow and inbox creation (#9580) 2024-06-07 16:37:46 +05:30
notion feat: Whatsapp embedded signup (#11612) 2025-07-14 21:37:06 -07:00
platform/api/v1 feat: Add route to list accounts that belongs to a platform_app (#12140) 2025-08-11 21:23:05 +02:00
public/api/v1 fix: slim help center search results (#13761) 2026-03-17 00:46:23 -07:00
shopify feat(apps): Shopify Integration (#11101) 2025-03-19 15:37:55 -07:00
super_admin Revert "chore: Upgrade Rails to 7.2.2 and update Gemfile dependencies (#11037)" 2026-02-03 21:09:42 -08:00
survey feat: Add INSTALLATION_NAME to global config (#12376) 2025-09-09 12:13:35 +05:30
tiktok feat: TikTok channel (#12741) 2025-12-17 07:54:50 -08:00
twilio feat: Integrate Twilio WhatsApp ProfileName for contact name resolution (#12122) 2025-08-07 12:53:39 +05:30
twitter fix: response body in twitter callback (#6907) 2023-04-14 16:48:28 +05:30
webhooks feat(shopify): Add mandatory compliance webhooks with HMAC verification (#13549) 2026-02-17 16:52:13 +05:30
android_app_controller.rb chore: Universal Linking for Android (#2324) 2021-06-02 08:46:45 -07:00
api_controller.rb chore: Upgrade to Rails 7 (#6719) 2023-05-06 10:44:52 +05:30
apple_app_controller.rb Chore: Apple site association file for deep linking (#805) 2020-05-03 12:16:11 +05:30
application_controller.rb feat: Conversation API to return applied_sla and sla_events (#9174) 2024-04-01 23:30:07 +05:30
dashboard_controller.rb feat: Use amplitude for Cloud Analytics (#13217) 2026-01-09 09:32:09 -08:00
health_controller.rb feat: add lightweight /health endpoint (#13386) 2026-01-29 00:24:01 +05:30
microsoft_controller.rb chore: Automate SSL with Cloudflare (#12021) 2025-07-24 13:09:06 +04:00
oauth_callback_controller.rb refactor: use state-based authentication (#11690) 2025-06-18 17:39:06 +05:30
platform_controller.rb Chore: Inbox Members API improvements (#3008) 2021-09-14 11:55:02 +05:30
public_controller.rb fix: Locale not correct in root url when accessing help center with custom domain (#9110) 2024-03-19 18:48:59 +05:30
slack_uploads_controller.rb fix: handle active storage preview error for password protected pdfs (#11888) 2025-08-11 12:41:37 +05:30
swagger_controller.rb chore: Enable the new Rubocop rules (#7122) 2023-05-19 14:37:10 +05:30
widget_tests_controller.rb feat: Support Dark mode for the widget (#4137) 2022-04-01 20:59:03 +05:30
widgets_controller.rb feat(widget): Allow widget loading in mobile app WebViews when domain restrictions are set (#13763) 2026-03-17 14:29:41 +04:00