I noticed some PRs working on an ALLOWED_MESSAGE_ORIGINS list in the library. Can someone explain what exactly this does/means? Why do so many streamlit domains appear there?
I also see the list come up in the browserâs Developer Tools when running an app.
This list is an allow-list of origins from which a deployed Streamlit app can receive cross-origin messages from. Feel free to revise the list if youâre deploying Streamlit apps on your own.
Just FYI in case someone else is interested, I filed an enhancement request to allow setting the allow-list of origins through the config.toml file, instead of having to manually alter the Streamlit library file.
Since we already have CORS and XRSF config options in there, I think it is the right place for this too.