I noticed some PRs working on an ALLOWED_MESSAGE_ORIGINS list in the library. Can someone explain what exactly this does/means? Why do so many streamlit domains appear there?
I also see the list come up in the browser’s Developer Tools when running an app.
This list is an allow-list of origins from which a deployed Streamlit app can receive cross-origin messages from. Feel free to revise the list if you’re deploying Streamlit apps on your own.
Just FYI in case someone else is interested, I filed an enhancement request to allow setting the allow-list of origins through the config.toml file, instead of having to manually alter the Streamlit library file.
Since we already have CORS and XRSF config options in there, I think it is the right place for this too.
Thanks for stopping by! We use cookies to help us understand how you interact with our website.
By clicking “Accept all”, you consent to our use of cookies. For more information, please see our privacy policy.
Cookie settings
Strictly necessary cookies
These cookies are necessary for the website to function and cannot be switched off. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms.
Performance cookies
These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us understand how visitors move around the site and which pages are most frequently visited.
Functional cookies
These cookies are used to record your choices and settings, maintain your preferences over time and recognize you when you return to our website. These cookies help us to personalize our content for you and remember your preferences.
Targeting cookies
These cookies may be deployed to our site by our advertising partners to build a profile of your interest and provide you with content that is relevant to you, including showing you relevant ads on other websites.