What does ALLOWED_MESSAGE_ORIGINS actually do/mean?

Hi everyone,

I noticed some PRs working on an ALLOWED_MESSAGE_ORIGINS list in the library. Can someone explain what exactly this does/means? Why do so many streamlit domains appear there?

I also see the list come up in the browser’s Developer Tools when running an app.

Thanks in advance!

1 Like


Is there any concern if we empty the list in the Streamlit source code? We don’t want all those Streamlit URLs to show up in our deployed app…

Hey @marduk,

This list is an allow-list of origins from which a deployed Streamlit app can receive cross-origin messages from. Feel free to revise the list if you’re deploying Streamlit apps on your own.


Hi again,

Just FYI in case someone else is interested, I filed an enhancement request to allow setting the allow-list of origins through the config.toml file, instead of having to manually alter the Streamlit library file.

Since we already have CORS and XRSF config options in there, I think it is the right place for this too.

1 Like