Merge pull request #8340 from mspalti/iiif-cors-policy

Changed default cors policy for IIIF endpoints.
2025-10-07 01:54:22 +00:00 · 2022-06-16 08:49:39 -05:00
parent 5bb55ebb5e d441a6c836
commit f53368011c
1 changed files with 4 additions and 6 deletions
--- a/dspace/config/modules/iiif.cfg
+++ b/dspace/config/modules/iiif.cfg
@@ -26,12 +26,10 @@ iiif.document.viewing.hint = individuals
 # an individual or organization associated with the resource it is attached to.
 # iiif.logo.image = https://image/url/i.png

-# Only these origins (client URLs) can successfully communicate with the IIIF API. This
-# allows XHR requests from remote IIIF clients. Defaults to ${dspace.ui.url} if unspecified
-# (as the embedded IIIF client must have access to the API). Multiple allowed origin URLs may
-# be comma separated. Wildcard value (*) is NOT SUPPORTED. # (Requires reboot of servlet
-# container, e.g. Tomcat, to reload)
-iiif.cors.allowed-origins = ${dspace.ui.url}
+# By default the IIIF endpoint is available to all clients. This allows for sharing
+# and interoperability that are the primary goals of IIIF. You are free to restrict
+# IIIF access to ${dspace.ui.url} and specific domains if you choose to do so.
+iiif.cors.allowed-origins = *

 # Whether or not to allow credentials (e.g. cookies) sent by the client/browser in CORS
 # requests (in "Access-Control-Allow-Credentials" header).