diff --git a/app/controllers/file_controller.rb b/app/controllers/file_controller.rb
index 76639788..3687c8a1 100644
--- a/app/controllers/file_controller.rb
+++ b/app/controllers/file_controller.rb
@@ -7,6 +7,8 @@ class FileController < ApplicationController
     render plain: 'File not found', status: :not_found
   end
 
+  before_action :set_cors_headers, only: [:show], if: proc { current_file.stacks_rights.stanford_restricted? }
+
   # rubocop:disable Metrics/AbcSize
   def show
     return unless stale?(**cache_headers)
diff --git a/spec/controllers/file_controller_spec.rb b/spec/controllers/file_controller_spec.rb
index a52da5ca..5cb7926d 100644
--- a/spec/controllers/file_controller_spec.rb
+++ b/spec/controllers/file_controller_spec.rb
@@ -11,6 +11,30 @@
     Factories.cocina_with_file
   end
 
+  let(:stanford_json) do
+    {
+      'structural' => {
+        'contains' => [
+          {
+            'structural' => {
+              'contains' => [
+                {
+                  'filename' => 'xf680rd3068_1.jp2',
+                  'access' => {
+                    'view' => 'stanford',
+                    'download' => 'stanford'
+                  }
+                }
+              ]
+            }
+          }
+        ]
+      }
+    }
+  end
+
+  let(:file) { StacksFile.new(id: druid, file_name: 'xf680rd3068_1.jp2') }
+
   describe '#show' do
     let(:druid) { 'nr349ct7889' }
 
@@ -20,6 +44,7 @@
     it 'sends the file to the user' do
       expect(controller).to receive(:send_file).with(path, filename: 'image.jp2', disposition: :inline).and_call_original
       subject
+      expect(response.headers.to_h).to include 'Access-Control-Allow-Origin' => '*'
     end
 
     context 'when file is not in a content addressable path' do
@@ -32,6 +57,24 @@
           "content-disposition" => "attachment; filename=\"image.jp2\"; filename*=UTF-8''image.jp2"
         )
       end
+
+      it 'sets disposition attachment with download param' do
+        expect(controller).to receive(:send_file).with(file.path, disposition: :attachment).and_call_original
+        get :show, params: { id: 'xf680rd3068', file_name: 'xf680rd3068_1.jp2', download: 'any' }
+      end
+
+      context 'when Stanford restricted' do
+        before do
+          # stub_rights_xml(stanford_restricted_rights_xml)
+          allow(Purl).to receive(:public_json).and_return(stanford_json)
+        end
+
+        it 'sends host-specific and credentials CORS headers' do
+          subject
+          expect(response.headers.to_h).to include 'Access-Control-Allow-Origin' => 'https://embed.stanford.edu',
+                                                   'Access-Control-Allow-Credentials' => 'true'
+        end
+      end
     end
 
     context 'when file is in a content addressable path' do