List of origins that are allowed to issue requests with the custom
scheme, such as XHRs and subresource requests that have an Origin header.
The origin of any request (requests that have the
Origin header)
to the custom scheme URI needs to be in this list. No-origin requests
are requests that do not have an Origin header, such as link
navigations, embedded images and are always allowed.
Note: POST requests always contain an Origin header, therefore
AllowedOrigins must be set for even for same origin POST requests.
Note that cross-origin restrictions still apply.
From any opaque origin (Origin header is null), no cross-origin requests
are allowed.
If the list is empty, no cross-origin request to this scheme is
allowed.
Origins are specified as a string in the format of
scheme://host:port.
The origins are string pattern matched with * (matches 0 or more
characters) and ? (matches 0 or 1 character) wildcards just like
the URI matching in the
AddWebResourceRequestedFilter API.
For example, "http://*.example.com:80".
Here's a set of examples of what is allowed and not:
List of origins that are allowed to issue requests with the custom scheme, such as XHRs and subresource requests that have an Origin header. The origin of any request (requests that have the Origin header) to the custom scheme URI needs to be in this list. No-origin requests are requests that do not have an Origin header, such as link navigations, embedded images and are always allowed. Note: POST requests always contain an Origin header, therefore AllowedOrigins must be set for even for same origin POST requests. Note that cross-origin restrictions still apply. From any opaque origin (Origin header is null), no cross-origin requests are allowed. If the list is empty, no cross-origin request to this scheme is allowed. Origins are specified as a string in the format of scheme://host:port. The origins are string pattern matched with * (matches 0 or more characters) and ? (matches 0 or 1 character) wildcards just like the URI matching in the AddWebResourceRequestedFilter API. For example, "http://*.example.com:80". Here's a set of examples of what is allowed and not:
| Request URI | Originating URL | AllowedOrigins | Allowed | | -- | -- | -- | -- | | custom-scheme:request | https://www.example.com | {"https://www.example.com"} | Yes | | custom-scheme:request | https://www.example.com | {"https://*.example.com"} | Yes | | custom-scheme:request | https://www.example.com | {"https://www.example2.com"} | No | | custom-scheme-with-authority://host/path | custom-scheme-with-authority://host2 | {""} | No | | custom-scheme-with-authority://host/path | custom-scheme-with-authority2://host | {"custom-scheme-with-authority2://*"} | Yes | | custom-scheme-without-authority:path | custom-scheme-without-authority:path2 | {"custom-scheme-without-authority:*"} | No | | custom-scheme-without-authority:path | custom-scheme-without-authority:path2 | {"*"} | Yes |
The returned strings and the array itself must be deallocated with CoTaskMemFree.