From 89463cc11d7fa2fce0a94c968d6d316bf4423695 Mon Sep 17 00:00:00 2001
From: CodeCraftsman <152782737+Thebinary110@users.noreply.github.com>
Date: Tue, 6 Jan 2026 09:10:34 +0530
Subject: [PATCH] fix: allow unauthenticated CORS preflight for embedded bots
 (#30587)

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
---
 api/extensions/ext_blueprints.py | 27 +++++++++++++++++++++++----
 1 file changed, 23 insertions(+), 4 deletions(-)

diff --git a/api/extensions/ext_blueprints.py b/api/extensions/ext_blueprints.py
index cf994c11df..7d13f0c061 100644
--- a/api/extensions/ext_blueprints.py
+++ b/api/extensions/ext_blueprints.py
@@ -6,6 +6,7 @@ BASE_CORS_HEADERS: tuple[str, ...] = ("Content-Type", HEADER_NAME_APP_CODE, HEAD
 SERVICE_API_HEADERS: tuple[str, ...] = (*BASE_CORS_HEADERS, "Authorization")
 AUTHENTICATED_HEADERS: tuple[str, ...] = (*SERVICE_API_HEADERS, HEADER_NAME_CSRF_TOKEN)
 FILES_HEADERS: tuple[str, ...] = (*BASE_CORS_HEADERS, HEADER_NAME_CSRF_TOKEN)
+EMBED_HEADERS: tuple[str, ...] = ("Content-Type", HEADER_NAME_APP_CODE)
 EXPOSED_HEADERS: tuple[str, ...] = ("X-Version", "X-Env", "X-Trace-Id")
 
 
@@ -42,10 +43,28 @@ def init_app(app: DifyApp):
 
     _apply_cors_once(
         web_bp,
-        resources={r"/*": {"origins": dify_config.WEB_API_CORS_ALLOW_ORIGINS}},
-        supports_credentials=True,
-        allow_headers=list(AUTHENTICATED_HEADERS),
-        methods=["GET", "PUT", "POST", "DELETE", "OPTIONS", "PATCH"],
+        resources={
+            # Embedded bot endpoints (unauthenticated, cross-origin safe)
+            r"^/chat-messages$": {
+                "origins": dify_config.WEB_API_CORS_ALLOW_ORIGINS,
+                "supports_credentials": False,
+                "allow_headers": list(EMBED_HEADERS),
+                "methods": ["GET", "POST", "OPTIONS"],
+            },
+            r"^/chat-messages/.*": {
+                "origins": dify_config.WEB_API_CORS_ALLOW_ORIGINS,
+                "supports_credentials": False,
+                "allow_headers": list(EMBED_HEADERS),
+                "methods": ["GET", "POST", "OPTIONS"],
+            },
+            # Default web application endpoints (authenticated)
+            r"/*": {
+                "origins": dify_config.WEB_API_CORS_ALLOW_ORIGINS,
+                "supports_credentials": True,
+                "allow_headers": list(AUTHENTICATED_HEADERS),
+                "methods": ["GET", "PUT", "POST", "DELETE", "OPTIONS", "PATCH"],
+            },
+        },
         expose_headers=list(EXPOSED_HEADERS),
     )
     app.register_blueprint(web_bp)