Issues / #39
Nimschatwidget: cross-origin embeddable widget for external org websites
proposed
feature
Priority: medium
Project: nimschatwidget
Reporter:
19 Mar 2026 14:49
Description
## Context
nimschatwidget runs as a standalone container on land, serving the chat backend for all NimsForest web tools. Currently it only supports same-origin usage (NimsForest services on land).
## Proposal
Make nimschatwidget embeddable on external org websites (orgname.mynimsforest.com) with proper security.
### Changes needed
- Embed token system: org registers allowed domains, gets a scoped token
- Origin allowlist validation (token -> allowed origins)
- Rate limiting per token / per IP on /chat/send
- Crypto-random session ID generation (server-side)
- Widget JS: support `baseURL` config (full URL for cross-origin), pass embed token in requests
- CORS headers based on token's allowed origins (not wildcard)
- Keep backward compat with `basePath` for same-origin NimsForest tools
### Security
- Embed token as primary auth gate
- Origin allowlist checked server-side
- Rate limiting on /chat/send
- Defense in depth: token + origin + rate limit
nimschatwidget runs as a standalone container on land, serving the chat backend for all NimsForest web tools. Currently it only supports same-origin usage (NimsForest services on land).
## Proposal
Make nimschatwidget embeddable on external org websites (orgname.mynimsforest.com) with proper security.
### Changes needed
- Embed token system: org registers allowed domains, gets a scoped token
- Origin allowlist validation (token -> allowed origins)
- Rate limiting per token / per IP on /chat/send
- Crypto-random session ID generation (server-side)
- Widget JS: support `baseURL` config (full URL for cross-origin), pass embed token in requests
- CORS headers based on token's allowed origins (not wildcard)
- Keep backward compat with `basePath` for same-origin NimsForest tools
### Security
- Embed token as primary auth gate
- Origin allowlist checked server-side
- Rate limiting on /chat/send
- Defense in depth: token + origin + rate limit
Comments (1)
nebula
19 Mar 2026 15:00
Grooming: set priority to medium
Nebula's reasoning: This feature enables nimschatwidget to serve external org websites (mynimsforest.com domains), which is a meaningful capability expansion. However, same-origin usage for NimsForest services already works, so no users are currently blocked. Medium priority reflects its importance for the external org use case without displacing any critical fixes.
Nebula's reasoning: This feature enables nimschatwidget to serve external org websites (mynimsforest.com domains), which is a meaningful capability expansion. However, same-origin usage for NimsForest services already works, so no users are currently blocked. Medium priority reflects its importance for the external org use case without displacing any critical fixes.