Overview

This is a note on handling CORS configuration for the Omeka S Image Server.

Background

In the following article, I introduced how to address CORS errors with the Omeka S IIIF Server module.

While the above configuration resolved the issue of downloading IIIF manifest files, there were cases where images could not be downloaded, as shown below.

Accesstoimageat'https://xxx/iiif/2/8455/full/86,/0/default.jpg'fromorigin'https://uv-v4.netlify.app'hasbeenblockedbyCORSpolicy:The'Access-Control-Allow-Origin'headercontainsmultiplevalues*,',butonlyoneisallowed.

This article describes how to address this issue.

Solution

The cause is that access-control-allow-origin is specified in multiple places.

Since the CORS settings were applied site-wide through the configuration described in the above article, the fix involves modifying the Image Server module so that its own settings are not applied. Note that this may only be necessary for specific versions of the module and may not be needed when using the latest version.

Specifically, the relevant code is found in the following file:

https://github.com/Daniel-KM/Omeka-S-module-ImageServer/blob/master/src/Controller/ImageController.php

The file contains the following line, and while there are conditions that control whether it is applied, due to the version being used or the combination with other modules, these conditions may not work as expected, resulting in multiple access-control-allow-origin headers being set.

$headers->addHeaderLine('Access-Control-Allow-Origin',);

By commenting out lines like the one above, the error 'Access-Control-Allow-Origin' header contains multiple values '*, *' was resolved.

Summary

While encountering this exact issue may be rare, I hope this is helpful for anyone delivering IIIF images using Omeka S.