diff --git a/packages/solo/src/web.js b/packages/solo/src/web.js
index 01dea34d1bb4..aa533ad092a4 100644
--- a/packages/solo/src/web.js
+++ b/packages/solo/src/web.js
@@ -97,7 +97,6 @@ export async function makeHTTPListener(basedir, port, host, rawInboundCommand) {
   // path in /private but not /private/wallet-bridge: also require correct
   // accessToken= in query params
   const validateOriginAndAccessToken = async req => {
-    const { origin } = req.headers;
     const id = `${req.socket.remoteAddress}:${req.socket.remotePort}:`;
 
     const parsedUrl = new URL(req.url, 'http://some-host');
@@ -108,47 +107,26 @@ export async function makeHTTPListener(basedir, port, host, rawInboundCommand) {
       return true;
     }
 
-    // Bypass accessToken just for the wallet bridge.
-    if (fullPath !== '/private/wallet-bridge') {
-      // Validate the private accessToken.
-      const accessToken = await getAccessToken(port);
-      const reqToken = parsedUrl.searchParams.get('accessToken');
-
-      if (!verifyToken(reqToken, accessToken)) {
-        log.error(
-          id,
-          `Invalid access token ${JSON.stringify(
-            reqToken,
-          )}; try running "agoric open"`,
-        );
-        return false;
-      }
+    if (fullPath === '/private/wallet-bridge') {
+      // Bypass accessToken just for the wallet bridge.
+      return true;
     }
 
-    if (!origin) {
-      log.error(id, `Missing origin header`);
-      return false;
-    }
-    const originUrl = new URL(origin);
-    const isLocalhost = hostname =>
-      hostname.match(/^(localhost|127\.0\.0\.1)$/);
+    // Validate the private accessToken.
+    const accessToken = await getAccessToken(port);
+    const reqToken = parsedUrl.searchParams.get('accessToken');
 
-    if (['chrome-extension:', 'moz-extension:'].includes(originUrl.protocol)) {
-      // Extensions such as metamask are local and can access the wallet.
-      // Especially since the access token has been supplied.
+    if (verifyToken(reqToken, accessToken)) {
       return true;
     }
 
-    if (!isLocalhost(originUrl.hostname)) {
-      log.error(id, `Invalid origin host ${origin} is not localhost`);
-      return false;
-    }
-
-    if (!['http:', 'https:'].includes(originUrl.protocol)) {
-      log.error(id, `Invalid origin protocol ${origin}`, originUrl.protocol);
-      return false;
-    }
-    return true;
+    log.error(
+      id,
+      `Invalid access token ${JSON.stringify(
+        reqToken,
+      )}; try running "agoric open"`,
+    );
+    return false;
   };
 
   // accept POST messages to arbitrary endpoints