Set the ACAO header globally to match production server configuration

sul-dlss · Jun 5, 2017 · 5a2ed20 · 5a2ed20
1 parent feef76f
commit 5a2ed20
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 7 deletions.
diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
@@ -4,9 +4,14 @@ class ApplicationController < ActionController::Base
   include ActionController::HttpAuthentication::Bearer
 
   rescue_from CanCan::AccessDenied, with: :rescue_can_can
+  before_action :set_origin_header
 
   private
 
+  def set_origin_header
+    response.headers['Access-Control-Allow-Origin'] = '*'
+  end
+
   def current_user
     @current_user ||= if has_basic_credentials?(request)
                         basic_auth_user

diff --git a/app/controllers/media_controller.rb b/app/controllers/media_controller.rb
@@ -2,7 +2,6 @@
 # API for delivering streaming media via stacks
 class MediaController < ApplicationController
   before_action :load_media
-  before_action :set_origin_header, except: [:auth_check]
   before_action :set_cors_headers, only: [:auth_check]
 
   rescue_from ActionController::MissingFile do
@@ -29,12 +28,11 @@ def auth_check
 
   private
 
-  # We do not rely on the web server to set Access-Control-Allow-Origin for *any* /media request,
-  # so we set it manually ourselves.
-  def set_origin_header
-    response.headers['Access-Control-Allow-Origin'] = '*'
-  end
-
+  # In order for media authentication to work, the wowza server must have
+  # Access-Control-Allow-Credentials header set (which is set by default when CORS is enabled in wowza),
+  # which means that Access-Control-Allow-Origin cannot be set to * (wowza default) and instead
+  # needs to specify a host (e.g. the embed server of choice, presumably used in purl with
+  # particular stacks). This means that only the specified host will be granted credentialed requests.
   def set_cors_headers
     response.headers['Access-Control-Allow-Origin'] = Settings.cors.allow_origin_url
     response.headers['Access-Control-Allow-Credentials'] = 'true'