add cors headers for file show method

sul-dlss · Dec 6, 2023 · 6f514b4 · 6f514b4
1 parent 31d6fc2
commit 6f514b4
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 10 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -404,6 +404,7 @@ GEM
       zip_tricks (>= 4.2.1, < 6.0)
 
 PLATFORMS
+  x86_64-darwin-19
   x86_64-darwin-20
   x86_64-darwin-22
   x86_64-linux

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -32,4 +32,14 @@ def current_ability
   def ability_class
     Settings.features.cocina ? CocinaAbility : Ability
   end
+
+  # In order for media authentication to work, the wowza server must have
+  # Access-Control-Allow-Credentials header set (which is set by default when CORS is enabled in wowza),
+  # which means that Access-Control-Allow-Origin cannot be set to * (wowza default) and instead
+  # needs to specify a host (e.g. the embed server of choice, presumably used in purl with
+  # particular stacks). This means that only the specified host will be granted credentialed requests.
+  def set_cors_headers
+    response.headers['Access-Control-Allow-Origin'] = Settings.cors.allow_origin_url
+    response.headers['Access-Control-Allow-Credentials'] = 'true'
+  end
 end
diff --git a/app/controllers/file_controller.rb b/app/controllers/file_controller.rb
@@ -7,6 +7,8 @@ class FileController < ApplicationController
     render plain: 'File not found', status: :not_found
   end
 
+  before_action :set_cors_headers, only: [:show]
+
   def show
     return unless stale?(**cache_headers)
 

diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
@@ -32,16 +32,6 @@ def auth_check
 
   private
 
-  # In order for media authentication to work, the wowza server must have
-  # Access-Control-Allow-Credentials header set (which is set by default when CORS is enabled in wowza),
-  # which means that Access-Control-Allow-Origin cannot be set to * (wowza default) and instead
-  # needs to specify a host (e.g. the embed server of choice, presumably used in purl with
-  # particular stacks). This means that only the specified host will be granted credentialed requests.
-  def set_cors_headers
-    response.headers['Access-Control-Allow-Origin'] = Settings.cors.allow_origin_url
-    response.headers['Access-Control-Allow-Credentials'] = 'true'
-  end
-
   def allowed_params
     params.permit(:action, :callback, :id, :file_name, :format, :stacks_token, :user_ip)
   end