Skip to content

CORS for player protection

CORS (Cross-origin resource sharing) is a mechanism that modern browsers use for restricting access from one domain to the resources of another domain. Basically, when server A requests some page from server B, your browser checks that the response from server B allows access for server A which is signalled by the Access-Control-Allow-Origin header in the HTTP response. There are other headers that you can choose depending on your case.

Flussonic allows using CORS for restricting access to the embed.html player page to specific domains only. You can configure CORS individually for each stream or use the stream configuration template.

Warning

Do not use CORS for authorization. You will need the auth backend for that.

Example 1. To allow embedding of the embed.html player with the protected stream only on the example.com page, the playback_headers directive and the header parameter must be specified in the stream configuration as follows:

stream protected {
  input fake://fake;
  playback_headers {
    header Access-Control-Allow-Origin example.com;
  }
}

Example 2. Using CORS settings in the stream configuration template.

template cors {
  playback_headers {
    protocols hls;
    playback live;
    header Access-Control-Allow-Origin example.com;
  }
}

stream fake {
  input fake://;
  template cors;
}