CORS for player protection¶
CORS (Cross-origin resource sharing) is a mechanism that modern browsers use for restricting access from one domain to the resources of another domain. Basically, when server A requests some page from server B, your browser checks that the response from server B allows access for server A which is signalled by the Access-Control-Allow-Origin
header in the HTTP response. There are other headers that you can choose depending on your case.
Flussonic allows using CORS for restricting access to the embed.html player page to specific domains only. You can configure CORS individually for each stream or use the stream configuration template.
Warning
Do not use CORS for authorization. You will need the auth backend for that.
Example 1. To allow embedding of the embed.html
player with the protected
stream only on the example.com
page, the playback_headers
directive and the header
parameter must be specified in the stream configuration as follows:
stream protected {
input fake://fake;
playback_headers {
header Access-Control-Allow-Origin example.com;
}
}
Example 2. Using CORS settings in the stream configuration template.
template cors {
playback_headers {
protocols hls;
playback live;
header Access-Control-Allow-Origin example.com;
}
}
stream fake {
input fake://;
template cors;
}