Go directly to the end of this gist.
Recently i came across this streamlit issue: streamlit/streamlit#6389 .
I don't know why this is implemented in such a way, Author could have try to get values firstly from config, and if not set then assign default.
Just because you sell one version as community-edition, doesn't means that you'd follows bad practices. Now, here we're trying to fix dirty issue in dirty way.
This issue came from below file(s):
streamlit/web/server/routes.py
Line 191, where they declare a variable named: _DEFAULT_ALLOWED_MESSAGE_ORIGINS with hardcoded values as:
_DEFAULT_ALLOWED_MESSAGE_ORIGINS = [
# Community-cloud related domains.
# We can remove these in the future if community cloud
# provides those domains via the host-config endpoint.
"https://devel.streamlit.test",
"https://*.streamlit.apptest",
"https://*.streamlitapp.test",
"https://*.streamlitapp.com",
"https://share.streamlit.io",
"https://share-demo.streamlit.io",
"https://share-head.streamlit.io",
"https://share-staging.streamlit.io",
"https://*.demo.streamlit.run",
"https://*.head.streamlit.run",
"https://*.staging.streamlit.run",
"https://*.streamlit.run",
"https://*.demo.streamlit.app",
"https://*.head.streamlit.app",
"https://*.staging.streamlit.app",
"https://*.streamlit.app",
]
This variable is used in a class in same file at line 214, as:
class HostConfigHandler(_SpecialRequestHandler):
def initialize(self):
# Make a copy of the allowedOrigins list, since we might modify it later:
self._allowed_origins = _DEFAULT_ALLOWED_MESSAGE_ORIGINS.copy()
if (
config.get_option("global.developmentMode")
and "http://localhost" not in self._allowed_origins
):
# Allow messages from localhost in dev mode for testing of host <-> guest communication
self._allowed_origins.append("http://localhost")
async def get(self) -> None:
self.write(
{
"allowedOrigins": self._allowed_origins,
"useExternalAuthToken": False,
# Default host configuration settings.
"enableCustomParentMessages": False,
"enforceDownloadInNewTab": False,
"metricsUrl": "",
"blockErrorDialogs": False,
}
)
self.set_status(200)
Author could have try to get values from config file, lets say, config.get_option("allowed_origins"), and if it is not set then use default value. like:
_DEFAULT_ALLOWED_MESSAGE_ORIGINS = config.get_option("allowed_origins") or [
# Community-cloud related domains.
# We can remove these in the future if community cloud
# provides those domains via the host-config endpoint.
"https://devel.streamlit.test",
"https://*.streamlit.apptest",
"https://*.streamlitapp.test",
"https://*.streamlitapp.com",
"https://share.streamlit.io",
"https://share-demo.streamlit.io",
"https://share-head.streamlit.io",
"https://share-staging.streamlit.io",
"https://*.demo.streamlit.run",
"https://*.head.streamlit.run",
"https://*.staging.streamlit.run",
"https://*.streamlit.run",
"https://*.demo.streamlit.app",
"https://*.head.streamlit.app",
"https://*.staging.streamlit.app",
"https://*.streamlit.app",
]
This could have make the life little easy, there could be other ways also, to make this work.
You can use any way, if it works. My temporary solution for Streamlit, version 1.45.1, until they fix it is:
- Create a python file named:
streamlit_patch.py. - Call/inject this file before you're actually calling your streamlit app, or at the start of program.
- Lets assume, your config values came from
config.get(key, default)method, and allowed origins are stored inallowed_originsnamed variable. - In this file, paste below code:
from streamlit.web.server import routes routes._DEFAULT_ALLOWED_MESSAGE_ORIGINS = config.get("allowed_origins", None) or ["your", "default", "origins"] - Thats it, try runnig now, and try changing CORS setting, this much should work.
If app is capable of setting it from config, then use that, rather than this.