From 04c90de2a5983b9b4c3b54a324a1858c0458c592 Mon Sep 17 00:00:00 2001 From: Rodrigo Ribeiro Gomes Date: Fri, 7 Nov 2025 12:18:20 -0300 Subject: [PATCH 1/2] Document CORS requirements for direct external tools Added section on CORS and direct tools, including example code for Node.js. --- docs/features/plugin/tools/development.mdx | 41 +++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/docs/features/plugin/tools/development.mdx b/docs/features/plugin/tools/development.mdx index 9ddbfc74..97dd3f97 100644 --- a/docs/features/plugin/tools/development.mdx +++ b/docs/features/plugin/tools/development.mdx @@ -1582,7 +1582,46 @@ async def create_dashboard(): ) ``` -The embedded content automatically inherits responsive design and integrates seamlessly with the chat interface, providing a native-feeling experience for users interacting with your tools. +The embedded content automatically inherits responsive design and integrates seamlessly with the chat interface, providing a native-feeling experience for users interacting with your tools. + +#### CORS and Direct Tools + +Direct external tools are tools that run directly from the browser. In this case, the tool is called by JavaScript in the user's browser. +Because we depend on the Content-Disposition header, when using CORS on a remote tool server, the OpenWeb UI cannot read that header due to Access-Control-Expose-Headers, which prevents certain headers from being read from the fetch result. +To prevent this, you must set Access-Control-Expose-Headers to Content-Disposition. Check the example below of a tool using Node.js: + + +```javascript +const app = express(); +const cors = require('cors'); + +app.use(cors()) + +app.get('/tools/dashboard', (req,res) => { + let html = ` +
+

System Dashboard

+ + + +
+ ` + res.set({ + 'Content-Disposition': 'inline' + ,'Access-Control-Expose-Headers':'Content-Disposition' + }) + res.send(html) +}) +``` + +More info about the header: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Expose-Headers + ## External packages From 5d8afea3671640c0dfbd63351e79d6bc5aa4136c Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Fri, 7 Nov 2025 22:56:44 +0100 Subject: [PATCH 2/2] Fix typo in CORS and Direct Tools section Corrected the term 'OpenWeb UI' to 'Open WebUI' for consistency. --- docs/features/plugin/tools/development.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/features/plugin/tools/development.mdx b/docs/features/plugin/tools/development.mdx index 97dd3f97..92f98d75 100644 --- a/docs/features/plugin/tools/development.mdx +++ b/docs/features/plugin/tools/development.mdx @@ -1587,7 +1587,7 @@ The embedded content automatically inherits responsive design and integrates sea #### CORS and Direct Tools Direct external tools are tools that run directly from the browser. In this case, the tool is called by JavaScript in the user's browser. -Because we depend on the Content-Disposition header, when using CORS on a remote tool server, the OpenWeb UI cannot read that header due to Access-Control-Expose-Headers, which prevents certain headers from being read from the fetch result. +Because we depend on the Content-Disposition header, when using CORS on a remote tool server, the Open WebUI cannot read that header due to Access-Control-Expose-Headers, which prevents certain headers from being read from the fetch result. To prevent this, you must set Access-Control-Expose-Headers to Content-Disposition. Check the example below of a tool using Node.js: