Impact of default CORS option in IiifServer module configuration

Hello everyone,

I’d like to bring to the attention of users of the IiifServer module a potential concern with the default configuration that I tried to summarize in this ticket: CORS disabled by default in module configuration on its Gitlab repository (in French). It is a matter of perspective, and the change made last year in the code could originate from a request made by users of this module. Anyway, as explained in the ticket, having this HTTP header disabled by default in the module configuration can be seen as a regression that could lead to “silently” restricting the usability of IIIF resources that you might be likely to distribute via your existing or future Omeka S digital library. Indeed this CORS HTTP header is a critical requirement for all browser-based IIIF clients in the wild (above all viewers like Mirador, UniversalViewer etc.). So it may be desirable to switch the option iiifserver_manifest_append_cors_headers to true in module.config.php#L528.

Without getting into the details of this setting or module specifically, I just want to note that all settings in modules’s module.config.php files (as well as the core’s equivalent config file) can be overridden by your installation’s config/local.config.php file.

In a case like this where you want to change a module’s default, you’re probably better off doing it there, rather than in the module where you’d have to remember to re-apply your change every time you upgraded the module.