CORS blocking for my school project

Website URL

http://ceskekraje.great-site.net/

I know you block it, but could you just for my backend for my custom ai chatbot remove it :pray: . The address i want to specifially allow is https://aiceskekraje.vercel.app (the api works on the /chat). I need it because of the history api which uses cookies. Here you have the backend if you don’t trust me mkfdj/aiceskekraje on github. Thank you for the great free hosting you provide Admin.

1 Like

Hi and welcome to the forum

Can you try testing that in your JS code instead of this address

const response = await fetch('https://aiceskekraje.vercel.app/chat'

you use

const response = await fetch('https://aiceskekraje.vercel.app'

3 Likes

That’s dumb, i need to access the api not the website. It’s a CORS problem look into the console: Access to fetch at ‘https://aiceskekraje.vercel.app/chat’ from origin ‘https://ceskekraje.great-site.net’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Credentials’ header in the response is ‘’ which must be ‘true’ when the request’s credentials mode is ‘include’.

1 Like

And .htaccess doesn’t work, I already tried.

1 Like

When you try it, we can continue talking.

4 Likes

I tried it and nothing changed.

1 Like

When I remove credentials: 'include', from the code it will work, but the ai can’t access any older messages, btw it’s running on gpt4o for free via g4f.

1 Like

Thanks (I’m trying to exclude some links in the chain)

is that your Vercel ?

is POST allowed?

maybe this will be of some help to you

4 Likes

It’s mine and CORS works just fine you can run this localy to check that the api works and the infinityfree hostings “security prevention” for some reason prevents the remote cookies.

<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <title>Modern Chat Widget</title> 
  <!--    <link rel="stylesheet" href="styles.css"> -->
</head>
<body>
    <!-- Chat Container -->
    <div id="chat-container">
        <div id="chat-header">
            <h2>Chat</h2>
            <button id="close-chat">✕</button>
        </div>
        <div id="chat-messages"></div>
        <div id="chat-input-container">
            <input type="text" id="chat-input" placeholder="Type a message..." />
            <button id="send-button">Send</button>
        </div>
    </div>

    <!-- Expand Chat Button -->
    <button id="expand-chat">
        <svg fill="#ffffff" height="24px" width="24px" viewBox="0 0 60 60" xmlns="http://www.w3.org/2000/svg">
            <path d="M30,1.5c-16.542,0-30,12.112-30,27c0,5.205,1.647,10.246,4.768,14.604c-0.591,6.537-2.175,11.39-4.475,13.689
	c-0.304,0.304-0.38,0.769-0.188,1.153C0.276,58.289,0.625,58.5,1,58.5c0.046,0,0.093-0.003,0.14-0.01
	c0.405-0.057,9.813-1.412,16.617-5.338C21.622,54.711,25.738,55.5,30,55.5c16.542,0,30-12.112,30-27S46.542,1.5,30,1.5z" />
        </svg>
    </button>

    <!-- Code Snippet Template -->
    <template id="code-snippet-template">
        <div class="code-snippet">
            <button class="copy-button">Copy</button>
            <pre><code></code></pre>
        </div>
    </template>
    

    <!-- Header and Bold Template -->
    <template id="header-template">
        <strong class="header"></strong>
    </template>
    <template id="bold-black-template">
        <span class="bold-black"></span>
    </template>

    <script>
        document.addEventListener('DOMContentLoaded', () => {
            const chatContainer = document.getElementById('chat-container');
            const chatMessages = document.getElementById('chat-messages');
            const chatInput = document.getElementById('chat-input');
            const chatForm = document.getElementById('chat-form');
            const sendButton = document.getElementById('send-button');
            const expandChatButton = document.getElementById('expand-chat');
            const closeChatButton = document.getElementById('close-chat');
            let lastMessage = '';
            expandChatButton.addEventListener('click', () => {
                chatContainer.classList.add('expanded');
                expandChatButton.classList.add('hidden');
            });
        
            closeChatButton.addEventListener('click', () => {
                chatContainer.classList.remove('expanded');
                expandChatButton.classList.remove('hidden');
            });
        
            document.addEventListener('click', (e) => {
                if (e.target.classList.contains('copy-button')) {
                    const codeSnippet = e.target.closest('.code-snippet');
                    const codeElement = codeSnippet.querySelector('code');
                    
                    if (codeElement) {
                        const code = codeElement.textContent; // Get the text
                        navigator.clipboard.writeText(code).then(() => {
                            alert('Code copied to clipboard!');
                        }).catch(() => {
                            alert('Failed to copy code to clipboard.');
                        });
                    } else {
                        console.error('Code element not found!');
                    }
                }
            });
            
            sendButton.addEventListener('click', async () => {
                const message = chatInput.value.trim();
                if (message) {
                    lastMessage = message;
                    addMessageToChat('user', message);
                    chatInput.value = '';
                    addTypingAnimation();
            
                    const MAX_RETRIES = 3; // Maximum number of retries
                    let retryCount = 0; // Retry counter
                    let timeoutReached = false;
            
                    const showRetryButtons = () => {
                        removeTypingAnimation();
                        const messageElement = document.createElement('div');
                        messageElement.className = 'message bot';
                        messageElement.innerHTML = `
                            <p>Čas vyprơel. Zkusit znovu nebo smazat chat?</p>
                            <button id="retry-button">Zkusit znovu</button>
                            <button id="clear-button">Smazat</button>
                        `;
                        chatMessages.appendChild(messageElement);
                        chatMessages.scrollTop = chatMessages.scrollHeight;
            
                        document.getElementById('retry-button').addEventListener('click', () => {
                            messageElement.remove();
                            retryMessage();
                        });
                        document.getElementById('clear-button').addEventListener('click', () => {
                            chatMessages.innerHTML = '';
                        });
                    };
            
                    const timeoutId = setTimeout(() => {
                        timeoutReached = true;
                        showRetryButtons();
                    }, 20000);
            
                    const warningTimeoutId = setTimeout(() => {
                        if (!timeoutReached) {
                            addMessageToChat('bot', 'ProsĂ­m počkejte, generace zprĂĄvy zabrala dĂ©le neĆŸ obvykle.');
                        }
                    }, 15000);
            
                    while (retryCount < MAX_RETRIES) {
                        try {
                            const response = await fetch('https://aiceskekraje.vercel.app/chat', {
                                method: 'POST',
                                headers: { 'Content-Type': 'application/json' },
                                body: JSON.stringify({ message }),
                            });
            
                            if (timeoutReached) return;
            
                            clearTimeout(timeoutId);
                            clearTimeout(warningTimeoutId);
                            removeTypingAnimation();
            
                            if (response.ok) {
                                const data = await response.json();
                                addMessageToChat('bot', data.response);
                                return; // Exit on success
                            } else {
                                console.warn(`Retrying... Attempt ${retryCount + 1}`);
                                retryCount++;
                            }
                        } catch (error) {
                            console.error(`Error sending message: ${error}`);
                            retryCount++;
                            if (retryCount >= MAX_RETRIES) {
                                removeTypingAnimation();
                                addMessageToChat(
                                    'bot',
                                    'Doơlo k chybě pƙi odesílání zprávy. Prosím zkuste to znovu.'
                                );
                            }
                        }
                    }
                }
            });
            
        
            function addMessageToChat(role, content) {
                const messageElement = document.createElement('div');
                messageElement.className = `message ${role}`;
            
                const parsedContent = parseMessageContent(content);
                messageElement.appendChild(parsedContent);
            
                chatMessages.appendChild(messageElement);
                chatMessages.scrollTop = chatMessages.scrollHeight;
            }
            
           
        
            
            function parseMessageContent(content) {
                const messageFragment = document.createDocumentFragment();
            
                // Regex patterns
                const codePattern = /```([\s\S]*?)```/g; // Matches ```...```
                const headerPattern = /##(.+?)##/g; // Matches ###...###
                const boldPattern = /\*\*(.+?)\*\*/g; // Matches ***...***
            
                let lastIndex = 0;
            
                // Replace code blocks
                let match;
                while ((match = codePattern.exec(content)) !== null) {
                    // Append preceding text
                    if (lastIndex < match.index) {
                        const text = content.substring(lastIndex, match.index);
                        messageFragment.appendChild(document.createTextNode(text));
                    }
            
                    // Create a code snippet
                    const codeSnippet = document.getElementById('code-snippet-template').content.cloneNode(true);
                    codeSnippet.querySelector('code').textContent = match[1]; // Add code content
                    messageFragment.appendChild(codeSnippet);
                    
                    // Attach copy functionality to the new snippet
                  //  setTimeout(() => attachCopyFunctionality(), 0); // Ensure DOM updates before attaching            
            
                    lastIndex = codePattern.lastIndex;
                }
            
                // Append remaining content after code blocks
                if (lastIndex < content.length) {
                    content = content.substring(lastIndex);
            
                    // Replace headers
                    content = content.replace(headerPattern, (_, headerText) => {
                        const headerElement = document.getElementById('header-template').content.cloneNode(true);
                        headerElement.querySelector('.header').textContent = headerText.trim();
                        messageFragment.appendChild(headerElement);
                        return '';
                    });
            
                    // Replace bold-black text
                    content = content.replace(boldPattern, (_, boldText) => {
                        const boldElement = document.getElementById('bold-black-template').content.cloneNode(true);
                        boldElement.querySelector('.bold-black').textContent = boldText.trim();
                        messageFragment.appendChild(boldElement);
                        return '';
                    });
            
                    // Add any remaining plain text
                    if (content.trim()) {
                        messageFragment.appendChild(document.createTextNode(content));
                    }
                }
            
                return messageFragment;
            }
        
            function delay(ms) {
                return new Promise(resolve => setTimeout(resolve, ms));
            }
        
            async function addTypingAnimation() {
                const typingElement = document.createElement('div');
                typingElement.className = 'message bot typing';
                chatMessages.appendChild(typingElement);
                chatMessages.scrollTop = chatMessages.scrollHeight;
        
                let keepTyping = true;
        
                const animateTyping = async () => {
                    while (keepTyping) {
                        typingElement.textContent = '.';
                        await delay(500);
                        typingElement.textContent = '..';
                        await delay(500);
                        typingElement.textContent = '...';
                        await delay(500);
                    }
                };
        
                animateTyping();
        
                typingElement.cleanup = () => {
                    keepTyping = false;
                    typingElement.remove();
                };
            }
        
            function removeTypingAnimation() {
                const typingElement = chatMessages.querySelector('.typing');
                if (typingElement && typeof typingElement.cleanup === 'function') {
                    typingElement.cleanup();
                }
            }
        
            function retryMessage() {
                chatInput.value = lastMessage;
                sendButton.click();
            }
        });
        </script>

        <style>
            body {
    font-family: 'Arial', sans-serif;
    background-color: #f9f9f9;
    margin: 0;
    padding: 0;
}

.code-snippet {
    position: relative;
    border: 1px solid #ddd;
    background-color: #f8f8f8;
    border-radius: 5px;
    margin: 10px 0;
    padding: 10px;
    overflow: hidden;
}

#close-chat {
    position: absolute;
    top: 10px;
    right: 10px;
    background-color: #ffffff;
    color: rgb(0, 0, 0);
    border: none;
    border-radius: 3px;
    padding: 5px 10px;
    font-size: 12px;
    cursor: pointer;
    z-index: 10;
    box-shadow: 0 2px 5px rgba(0, 0, 0, 0.1);
}

.code-snippet pre {
    margin: 0;
    padding: 10px;
    overflow-x: auto;
    background: transparent;
}

.copy-button {
    position: absolute;
    top: 10px;
    right: 10px;
    background-color: #007bff;
    color: white;
    border: none;
    border-radius: 3px;
    padding: 5px 10px;
    font-size: 12px;
    cursor: pointer;
    z-index: 10;
    box-shadow: 0 2px 5px rgba(0, 0, 0, 0.1);
}

.copy-button:hover {
    background-color: #0056b3;
}


#chat-container {
    position: fixed;
    bottom: 20px;
    right: 20px;
    width: 350px;
    height: 500px;
    background-color: #ffffff;
    border-radius: 10px;
    box-shadow: 0 8px 20px rgba(0, 0, 0, 0.2);
    display: none;
    flex-direction: column;
    overflow: hidden;
    transition: all 0.3s ease;
    z-index: 1000;
}

#chat-container.expanded {
    display: flex;
}

#chat-header {
    background-color: #007bff;
    color: white;
    padding: 15px;
    display: flex;
    justify-content: space-between;
    align-items: center;
    font-size: 16px;
}

#chat-messages {
    flex: 1;
    padding: 10px;
    overflow-y: auto;
    background-color: #f7f7f7;
}

.message {
    margin-bottom: 10px;
    padding: 10px;
    border-radius: 15px;
    max-width: 70%;
    word-wrap: break-word;
}

.message.user {
    background-color: #007bff;
    color: white;
    align-self: flex-end;
}

.message.bot {
    background-color: #e5e5ea;
    color: black;
    align-self: flex-start;
}

#chat-input-container {
    display: flex;
    padding: 10px;
    border-top: 1px solid #ddd;
    background-color: #ffffff;
}

#chat-input {
    flex-grow: 1;
    padding: 10px;
    border: 1px solid #ccc;
    border-radius: 5px;
    font-size: 14px;
}

#send-button {
    margin-left: 10px;
    padding: 10px 15px;
    background-color: #007bff;
    color: white;
    border: none;
    border-radius: 5px;
    font-size: 14px;
    cursor: pointer;
}

#expand-chat {
    position: fixed;
    bottom: 20px;
    right: 20px;
    width: 60px;
    height: 60px;
    background-color: #007bff;
    color: white;
    border: none;
    border-radius: 50%;
    box-shadow: 0 4px 10px rgba(0, 0, 0, 0.2);
    display: flex;
    justify-content: center;
    align-items: center;
    cursor: pointer;
    z-index: 1000;
}

#expand-chat svg {
    width: 24px;
    height: 24px;
    fill: white;
}

.hidden {
    display: none;
}

#expand-chat.hidden {
    display: none !important;
}


.message.bot.typing {
    font-style: italic;
    color: gray;
}

        </style>
</body>
</html>
1 Like

This is really bad Admin fix this this a xcss vulnerability.

1 Like

If it is an xss vulnerability, that’s on you to fix because it’s your website. I also don’t think you know what you are talking about because that’s neither what it’s called, nor does it have any relation to CORS

6 Likes

No but when you type code in this format code it shouldn’t render on this site and it rendered, this could be used if correctly changed to a exploit

1 Like

I was sending here proof that the api works and that the CORS is the hosting problem which I can’t fix I read the fourms: Index.html - Pastebin.com

1 Like
  1. You did not format the code in a code block. I fixed it for you.

  2. If you try to enter code that could cause a vulnerability, it won’t render. The developers behind the forum software know what they are doing.

4 Likes

Ok, I was worried for a while

1 Like

you have this?

4 Likes

The fix was to add the CORS to vercel, but still I couldn’t pass the cookies, so a simple fix was to change this from cookies to a code which last a session now even if all cookies are blocked it will load the history just fine. Big thanks to Oxy

2 Likes

That prevents other people from accessing your website, it does not stop you from accessing other websites. So I don’t think it’s relevant here.

8 Likes

We don’t block that, because we can’t block that. It’s not possible to get or set cookies for one website on another website. It would be absolute insanity if you would be able to grab cookies for any other website, like google.com or facebook.com, from your any website.

It’s not possible to access those “remote cookies” from your website. And if they are inaccessible to your website, it means that they are inaccessible to us too.

Please do your research before shouting accusations like that.

This forum supports formatting posts with HTML code. You can for example use HTML tags like <a> for links, <h1> for titles and <strong> to emphasize text. HTML tags that are not supported (including - very importantly - <script> tags) are removed for obvious security reasons.

Being able to use HTML is a feature, not a vulnerability. You can’t do cross site scripting with a markup language. You need scripting to do cross site scripting, and you can’t put your own HTML code in here.

7 Likes

Thank you :slight_smile:
and please change the cursor because it was hard for me to click for the AI ​​chat icon :joy:

3 Likes