feat: opt into gateway CORS for cross-origin Grafana iframe embed
Declare CORS_ALLOW_ORIGINS=["*"]. The kernel loader reads this opt-in and emits Access-Control-Allow-Origin for this module's prefix only, so the SPA's Vite `crossorigin` assets load inside a sandboxed Grafana iframe (opaque origin) instead of being CORS-blocked (blank page). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
979aae426b
commit
3fcd9a75cd
@ -33,6 +33,14 @@ MODULE_NAME = "temper_rejects"
|
|||||||
# MUST match vite.config.ts `base` (with a trailing slash on the Vite side).
|
# MUST match vite.config.ts `base` (with a trailing slash on the Vite side).
|
||||||
MODULE_PREFIX = "/module/temper_rejects"
|
MODULE_PREFIX = "/module/temper_rejects"
|
||||||
|
|
||||||
|
# CORS opt-in (read by the kernel loader, app.core.modules). This login-free board
|
||||||
|
# is embedded cross-origin in a Grafana text panel, which renders it inside a
|
||||||
|
# SANDBOXED iframe → the document gets an opaque origin (Origin: null). Vite tags the
|
||||||
|
# SPA's own JS/CSS `crossorigin`, so those assets are fetched in CORS mode and the
|
||||||
|
# browser blocks them (blank page) unless the gateway allows the read. "*" is safe:
|
||||||
|
# this is no-auth, read-only shop-floor data, and only "*" satisfies Origin: null.
|
||||||
|
CORS_ALLOW_ORIGINS = ["*"]
|
||||||
|
|
||||||
|
|
||||||
def register(app: FastAPI) -> None:
|
def register(app: FastAPI) -> None:
|
||||||
"""Mount the data API and the SPA onto the gateway app.
|
"""Mount the data API and the SPA onto the gateway app.
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user