Add client.allowedOrigins config option#13829
Open
lukasmasuch wants to merge 1 commit intodevelopfrom
Open
Conversation
Implement a new configuration option to allow deployers to customize which origins can send cross-origin postMessage commands to embedded Streamlit apps. Moves the default allowed origins list from hardcoded constants in routes.py to the config system, making it configurable via config.toml.
Contributor
✅ PR preview is ready!
|
Contributor
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
lukasmasuch
changed the title
client.allowedOrigins config option
![graphite-app[bot]](https://avatars.githubusercontent.com/in/158384?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Pull request overview
This PR implements a new client.allowedOrigins configuration option that allows deployers to customize which origins can send cross-origin postMessage commands to embedded Streamlit apps. Previously, the list of allowed Community Cloud origins was hardcoded in routes.py.
Changes:
- Moved
_DEFAULT_ALLOWED_MESSAGE_ORIGINSconstant fromroutes.pytoconfig.py - Added new
client.allowedOriginsconfig option withmultiple=Trueto accept a list of origin strings - Updated both Tornado (
routes.py) and Starlette (starlette_routes.py) server implementations to useconfig.get_option("client.allowedOrigins")instead of the hardcoded constant - Updated test imports and added the new config key to the test that validates all config option keys
- Added unrelated
ty: ignore[unresolved-attribute]type checker suppression comments to existing test code
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| lib/streamlit/config.py | Defines _DEFAULT_ALLOWED_MESSAGE_ORIGINS constant and creates new client.allowedOrigins config option with proper description and default value |
| lib/streamlit/web/server/routes.py | Removes hardcoded constant and updates HostConfigHandler to use config option |
| lib/streamlit/web/server/starlette/starlette_routes.py | Updates _host_config_endpoint to use config option instead of importing constant |
| lib/tests/streamlit/web/server/routes_test.py | Updates import to reference constant from config module instead of routes |
| lib/tests/streamlit/config_test.py | Adds new config key to validation test and adds type checker suppression comments to unrelated test code |
lukasmasuch
added
security-assessment-completed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Describe your changes
Implement a new
client.allowedOriginsconfiguration option to allow deployers to customize which origins can send cross-origin postMessage commands to embedded Streamlit apps. The default list of Community Cloud origins is now configurable viaconfig.tomlinstead of being hardcoded.Github Issues
Testing Plan
config.get_option()Contribution License Agreement
By submitting this pull request you agree that all contributions to this project are made under the Apache 2.0 license.
Cursor Bugbot reviewed your changes and found no issues for commit f20b7b5