From 9be247c32c99034c51d7bd78076c291691c1a5ea Mon Sep 17 00:00:00 2001 From: Erik Date: Fri, 10 Jul 2026 13:56:33 +0200 Subject: [PATCH] feat: opt into gateway CORS for cross-origin Grafana iframe embed Declare CORS_ALLOW_ORIGINS=["*"]. The kernel loader reads this opt-in and emits Access-Control-Allow-Origin for this module's prefix only, so the SPA's Vite `crossorigin` assets load inside a sandboxed Grafana iframe (opaque origin) instead of being CORS-blocked (blank page). Co-Authored-By: Claude Opus 4.8 (1M context) --- __init__.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/__init__.py b/__init__.py index aec73ac..9860cd7 100644 --- a/__init__.py +++ b/__init__.py @@ -31,6 +31,14 @@ MODULE_NAME = "temper_overview" # MUST match vite.config.ts `base` (with a trailing slash on the Vite side). MODULE_PREFIX = "/module/temper_overview" +# CORS opt-in (read by the kernel loader, app.core.modules). This login-free board +# is embedded cross-origin in a Grafana text panel, which renders it inside a +# SANDBOXED iframe → the document gets an opaque origin (Origin: null). Vite tags the +# SPA's own JS/CSS `crossorigin`, so those assets are fetched in CORS mode and the +# browser blocks them (blank page) unless the gateway allows the read. "*" is safe: +# this is no-auth, read-only shop-floor data, and only "*" satisfies Origin: null. +CORS_ALLOW_ORIGINS = ["*"] + def register(app: FastAPI) -> None: """Mount the data API and the SPA onto the gateway app.