What does ALLOWED_MESSAGE_ORIGINS actually do/mean?

marduk · February 15, 2023, 1:36pm

Hi everyone,

I noticed some PRs working on an ALLOWED_MESSAGE_ORIGINS list in the library. Can someone explain what exactly this does/means? Why do so many streamlit domains appear there?

I also see the list come up in the browser’s Developer Tools when running an app.

Thanks in advance!

marduk · February 15, 2023, 2:18pm

Additionally:

Is there any concern if we empty the list in the Streamlit source code? We don’t want all those Streamlit URLs to show up in our deployed app…

Caroline · February 16, 2023, 4:05pm

Hey @marduk,

This list is an allow-list of origins from which a deployed Streamlit app can receive cross-origin messages from. Feel free to revise the list if you’re deploying Streamlit apps on your own.

marduk · March 29, 2023, 7:03am

Hi again,

Just FYI in case someone else is interested, I filed an enhancement request to allow setting the allow-list of origins through the config.toml file, instead of having to manually alter the Streamlit library file.

Since we already have CORS and XRSF config options in there, I think it is the right place for this too.

github.com/streamlit/streamlit

Make "allowed message origins" a config option instead of hard-coded list

opened 06:58AM - 29 Mar 23 UTC

marduk2

type:enhancement

### Problem The list of **allowed-message-origins** is currently hard-coded, …which means that in order to change it we have to manually alter the Streamlit library file `streamlit/web/server/routes.py`. ### Solution **Preferred solution:** Enable **allowedMessageOrigins** as an option in the `.streamlit/config.toml` file. --- Community voting on feature requests enables the Streamlit team to understand which features are most important to our users. **If you'd like the Streamlit team to prioritize this feature request, please use the 👍 (thumbs up emoji) reaction in response to the initial post.**