CORS issue for public IIIF resources - No Access-Control-Allow-Origin header is present on the requested resource

[JorenSix]

First of all thanks for building Heurist but I have a small (configuration?) issue with the IIIF functionality. When uploading a media file to Heurist and making it public, the IIIF manifest is correctly created and usable in the internal mirador viewer. Perfect!

Problem Unfortunately there seems to be a configuration issue (at least on huma-num.fr): the IIIF resources are not viewable in an external viewer due to a configuration issue:

Access to fetch at 'https://heurist.huma-num.fr//heurist/hserv/controller/record_output.php?db=ghentcdh_ghentcdhtest&recID=&iiif_image=755e03af9a6be682fecd8b12cbb36fdc76b56d21' from origin 'https://ramp.avalonmediasystem.org' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

The expected behaviour is, of course, to be able to interact with the IIIF resources in other places as well. It seems that the resource permissions are set correctly when making them public.

Reproduce: to reproduce this issue, make a media file public on huma-num.fr and copy the IIIF manifest into an external IIIF viewer.

Potentially a solution would be to configure the web-server to return correctly configured Access-Control-Allow-Origin headers which allow to re-use IIIF resources and perhaps document this for other installs as well.

Thanks in advance.