No 'Access-Control-Allow-Origin' header error on embed

Got a site in production with demos embeded from Huggingface Spaces. Today, they are all getting this error and no users can access the demos. Site is hosted on Github Pages, as suggested in Docs.

Access to fetch at '' (redirected from '') from origin '' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

Please look into this as it breaks all my projects. Iframe embed returns 404 message on mobile devices. Thank you.

newly created spaces do not have this issue. seems to only impact my old spaces? have migrated spaces for the time being, but would still like to know why this happens!

There were some changes to the infrastructure serving gradio spaces today!

You should also change the url to https://${org-name}-{space-name}

Currently using the following. How should this be adapted?

<gradio-app space="{orgname}/{space-name}"></gradio-app>

Seems crazy an update was pushed which breaks implementations on older versions? And no warning or documentation update to go with it? Or have I missed something.

Hmm @greendra is the Space you are trying to embed a private Space or a public Space? If it’s a public Space, can you link it here?

1 Like

Public spaces appear to be working for me. Is there a solution for private ones?

Hi @greendra can you share more about how come you’d like to embed a Space but keep in private? It feels like a security problem to me, but hearing your feedback will be helpful for the Spaces team as we think about how to support these features

Was working fine for months previously. I did not want the files to appear on Huggingface website as they contain files with keys in them. Keys are not stored as secrets because there is no easy way to add and remove 500 secret keys, and I swap them out regularly. Not your average use case, sure. But annoying that it was working before and now is not!

I also like to be able to access my other private spaces from mobile via embed, but I can’t do that anymore.

1 Like

hi @greendra , we’re working on a possibility to send a token with your request so we’ll be able to access your private Space and Embed, however if you embed it on a public page other’s will be able to access your private token.


Can you elaborate on this a little more? Why do use use embed to access your private Spaces on mobile instead of just opening HF Spaces on your phone?

It’s just nice to have all my models on one page in one place.

I have added some encryption to my app so that the sensitive data no longer displays, which means it’s okay being public now. However the feature would be nice still as I’d rather my space not be so easily findable and copyable by others, whilst still allowing me to be able to embed it on my sites.

Thanks for all the help. :slight_smile:

Thought I’d just add that another reason is because I run javascript in my gradio model to prevent spam use. This javascript does not run on the huggingface website however, but does run when embedded.