fix: allow unauthenticated CORS preflight for embedded bots

[Thebinary110]

Summary

This PR fixes a CORS regression that prevents Dify bots from being embedded on external websites.

Starting from recent versions, embedded bots fail due to rejected CORS preflight requests.
This change introduces a minimal, unauthenticated CORS configuration for embedded bot endpoints while keeping existing authentication and security behavior for console and service APIs unchanged.

Fixes #30440

---

Screenshots

Before | After -- | -- Embedded bot fails with CORS / connection refused | Embedded bot loads and responds correctly

---

Checklist

• This change requires a documentation update, included: Dify Document

• I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)

• I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.

• I've updated the documentation accordingly.

• I ran make lint and make type-check (backend) and cd web && npx lint-staged (frontend) to appease the lint gods

Summary

This PR fixes a CORS regression that prevents Dify bots from being embedded on external websites.

Starting from recent versions, embedded bots fail due to rejected CORS preflight requests.
This change introduces a minimal, unauthenticated CORS configuration for embedded bot endpoints while keeping existing authentication and security behavior for console and service APIs unchanged.

Fixes #30440

This change requires a documentation update, included: Dify Document

I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)

I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.

I've updated the documentation accordingly.

I ran make lint and make type-check (backend) and cd web && npx lint-staged (frontend) to appease the lint gods

[gemini-code-assist]

Summary of Changes

Hello @Thebinary110, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a recent issue where Dify bots failed to load when embedded on external websites due to rejected CORS preflight requests. The solution involves carefully adjusting the CORS settings for embedded bot endpoints to allow unauthenticated preflight requests, thereby restoring their functionality without impacting the security of other API surfaces.

Highlights

• CORS Regression Fix: This pull request resolves a critical CORS regression that was preventing Dify bots from being successfully embedded on external websites.
• Unauthenticated CORS Configuration: A minimal, unauthenticated CORS configuration has been introduced specifically for embedded bot endpoints to allow preflight requests to pass.
• Preservation of Existing Security: The changes ensure that the existing authentication and security behaviors for console and service APIs remain entirely unchanged, focusing only on the embedded bot functionality.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to fix a CORS issue for embedded bots by allowing unauthenticated preflight requests. It introduces a new set of CORS headers EMBED_HEADERS and applies a more restrictive CORS policy to the web_bp blueprint. While the intent is correct, applying this restrictive policy to the entire web_bp is problematic as it seems to also serve authenticated endpoints for the main web application. My review includes a critical comment suggesting a way to apply this new policy only to the relevant bot endpoints, to avoid breaking existing authenticated functionality.

[Thebinary110]

@QuantumGhost also fixed the cors exposing security issie suggested by gemini

[fatelei]

update pr title