Hugging Face's logo

Spaces:
VibecoderMcSwaggins
/
stroke-deepisles-demo
Paused

App Files Community
stroke-deepisles-demo / docs /bugs /001-cors-static-files-hf-spaces.md
VibecoderMcSwaggins's picture
VibecoderMcSwaggins
fix(deploy): CORS and proxy-headers for HF Spaces (#35)
1efb3e0 unverified
preview code
|
raw
history blame contribute delete
2.26 kB

Bug 001: CORS Blocking Static File Requests on HuggingFace Spaces

Status: FIXED Date Found: 2025-12-11 Severity: Critical (blocks core functionality)

Symptoms

  1. Frontend loads successfully, case dropdown populates
  2. Segmentation API call succeeds (200 OK, ~34s processing time)
  3. Results panel shows metrics (Dice Score, Volume, Time)
  4. NiiVue viewer shows "loading..." then error: "Failed to load volume: Failed to fetch"

Root Cause

The CORS allow_origin_regex pattern in src/stroke_deepisles_demo/api/main.py was incorrect:

# WRONG - expects double hyphens
allow_origin_regex=r"https://.*--stroke-viewer-frontend(--.*)?\.hf\.space"

# Actual frontend URL uses single hyphen:
# https://vibecodermcswaggins-stroke-viewer-frontend.hf.space
#                           ^ single hyphen

The regex expected -- (double hyphen) between username and space name, but HuggingFace Spaces direct URLs use single hyphens.

HuggingFace Spaces URL Formats

Format Pattern Example
Direct {username}-{spacename}.hf.space vibecodermcswaggins-stroke-viewer-frontend.hf.space
Proxy/Embed {username}--{spacename}--{hash}.hf.space vibecodermcswaggins--stroke-viewer-frontend--abc123.hf.space

The original regex only matched the proxy format, not the direct format.

Fix 

# CORRECT - matches both formats
allow_origin_regex=r"https://.*stroke-viewer-frontend.*\.hf\.space"

Logs Evidence 

INFO: 10.16.13.79:42834 - "POST /api/segment HTTP/1.1" 200 OK

The API call succeeded, but subsequent static file fetches for NIfTI volumes were blocked by CORS (browser silently blocks and shows "Failed to fetch").

Files Changed

  • src/stroke_deepisles_demo/api/main.py - Fixed regex
  • docs/specs/frontend/36-frontend-without-gradio-hf-spaces.md - Updated spec

Verification

After fix:

  1. Redeploy backend to HF Spaces
  2. Refresh frontend
  3. Run segmentation
  4. NiiVue should load and display the DWI + prediction overlay

Prevention

  • Test CORS configuration with actual production URLs before deployment
  • Add integration test that verifies static file CORS headers
  • Document HF Spaces URL formats in spec