Embeddable Chat Widget—Security?


#1

I was going to add a chat widget—Smallchat— in one of my Glitch projects. I thought that using Smallchat would be a cool way for people to ask me questions about the project, if they want. The embed code for the widget is a one-line JavaScript snippet that goes anywhere in within <body> in index.html. It’s nice and simple, but is it secure add the widget like this?

Here’s what the JavaScript looks like:

<script src="https://embed.small.chat/[[UNIQUE ID/SECRET/IDENTIFYING THING I GUESS]].js" async></script>

Since the snippet goes right in index.html, the whole https://embed.small.chat... URL with the unique ID would be visible. However, I don’t know what someone could do with this information besides embed a Smallchat widget with my unique ID in their site/project.


#2

It’s the recommended proposed by Smallchat itself, I shouldn’t be worried. In their homepage they’re using the same kind of code.

The thing is that I was able to copy and paste the script code and use it from my Glitch app, embedding their chat into my application since they have no domain restriction at all. But think about it, the worst case scenario is that someone else embeds the chat in their website and visitors talk to you.

The unique ID is not that sensitive besides the point made above, but I would suggest Smallchat to add a domain verification feature for their embeds.


#3

About the point of having someone embedding your code into other website, I spoke with them and they replied this:

It’s not on our roadmap at the moment, but if you ever have any issues with someone using your embed code maliciously, shoot us an email to support@small.chat, and we’ll restrict it manually.


#4

Awesome! Thank you so much for your help! I’m ignorant when it comes to security and embeddables, so I just didn’t know if the unique ID would expose me to anything. The fact that I couldn’t put anything in the .env folder for Smallchat had me spooked. But I’m kind of new to code in general so I don’t always know what to be scared of and what’s okay.

Thanks for checking on this as well! Super appreciate all your help, @kinduff!