From 3fcd9a75cdfaec227edd0db547cb35dce529e016 Mon Sep 17 00:00:00 2001 From: Erik Date: Fri, 10 Jul 2026 13:56:41 +0200 Subject: [PATCH] feat: opt into gateway CORS for cross-origin Grafana iframe embed Declare CORS_ALLOW_ORIGINS=["*"]. The kernel loader reads this opt-in and emits Access-Control-Allow-Origin for this module's prefix only, so the SPA's Vite `crossorigin` assets load inside a sandboxed Grafana iframe (opaque origin) instead of being CORS-blocked (blank page). Co-Authored-By: Claude Opus 4.8 (1M context) --- __init__.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/__init__.py b/__init__.py index 764cbf5..678b208 100644 --- a/__init__.py +++ b/__init__.py @@ -33,6 +33,14 @@ MODULE_NAME = "temper_rejects" # MUST match vite.config.ts `base` (with a trailing slash on the Vite side). MODULE_PREFIX = "/module/temper_rejects" +# CORS opt-in (read by the kernel loader, app.core.modules). This login-free board +# is embedded cross-origin in a Grafana text panel, which renders it inside a +# SANDBOXED iframe → the document gets an opaque origin (Origin: null). Vite tags the +# SPA's own JS/CSS `crossorigin`, so those assets are fetched in CORS mode and the +# browser blocks them (blank page) unless the gateway allows the read. "*" is safe: +# this is no-auth, read-only shop-floor data, and only "*" satisfies Origin: null. +CORS_ALLOW_ORIGINS = ["*"] + def register(app: FastAPI) -> None: """Mount the data API and the SPA onto the gateway app.