Share via


CoreWebView2CustomSchemeRegistration.AllowedOrigins Property

Definition

List of origins that are allowed to issue requests with the custom scheme, such as XHRs and subresource requests that have an Origin header.

public System.Collections.Generic.List<string> AllowedOrigins { get; set; }
member this.AllowedOrigins : System.Collections.Generic.List<string> with get, set
Public Property AllowedOrigins As List(Of String)

Property Value

Remarks

The origin of any request (requests that have the [Origin header](https://developer.mozilla.org/docs/Web/HTTP/Headers/Origin)) to the custom scheme URI needs to be in this list. No-origin requests are requests that do not have an Origin header, such as link navigations, embedded images and are always allowed. Note that cross-origin restrictions still apply. From any opaque origin (Origin header is null), no cross-origin requests are allowed. If the list is empty, no cross-origin request to this scheme is allowed. Origins are specified as a string in the format of scheme://host:port. The origins are string pattern matched with * (matches 0 or more characters) and ? (matches 0 or 1 character) wildcards just like the URI matching in the AddWebResourceRequestedFilter(String, CoreWebView2WebResourceContext, CoreWebView2WebResourceRequestSourceKinds) API. For example, http://*.example.com:80.

Here's a set of examples of what is allowed or not:

Request URIOriginating URLAllowedOriginsAllowed
custom-scheme:requesthttps://www.example.com{"https://www.example.com"}Yes
custom-scheme:requesthttps://www.example.com{"https://*.example.com"}Yes
custom-scheme:requesthttps://www.example.com{"https://www.example2.com"}No
custom-scheme-with-authority://host/pathcustom-scheme-with-authority://host2{""}No
custom-scheme-with-authority://host/pathcustom-scheme-with-authority2://host{"custom-scheme-with-authority2://*"}Yes
custom-scheme-without-authority:pathcustom-scheme-without-authority:path2{"custom-scheme-without-authority:*"}No
custom-scheme-without-authority:pathcustom-scheme-without-authority:path2{"*"}Yes

Applies to