We have a headless project using Delivery API, where frontend is separated from backend. We have configured CORS in order to make frontend request member token as in member auth demo here: https://github.com/kjac/UmbracoDeliveryApiAuthDemo/blob/main/src/Server/Configuration/ConfigureCorsComposer.cs Everything seems to work correct and the response from member token endpoint sets the

Access-Control-Allow-Origin

and

Vary

headers. However when configuring MediaProtect package, it seems it may clear/remove/override the response headers, so we get an CORS errors as it only allow to make the request the another origin if

Access-Control-Allow-Origin

header is set in response.

I had similar issues as well as others. I scrapped using the package and developed my own. They key component is creating security properties on your media folders so you can mark them secure, configure what member groups. The middleware is the next componenent intersepting the request where it has /media Then yuo check the files parent for secirity and act accordingly. I then wrote a couple of helper functions in a helper class so you can use in the project to get the file security info or simply check if the file is secure or not.

Hi Missed this, youe Collegue fixed ths Bjarne.. His reply below However, today I found the problem and solved the problem and I think you might need it as for further support should you have others running into this issue. When Media Protect is installed I assume it runs "app.UseAuthentication();" when initializing, which is fine, but when using CORS its important the get applied first otherwise we could run into those CORS error I got. So to solve that I applied our CORS policies before the Umbraco pipeline and therefor Media Protects pipeline setting I assume "UseAuthentication();". With that change everything works as expected 🥳 https://cdn.discordapp.com/attachments/1279472883009065041/1281136272865234997/clip_image002.png?ex=66da9ea1&is=66d94d21&hm=5f5b178a3c54f81e62ba885d30c0f6b2c43665b9cc85cb29e4a8dc2fb209d33c&

@Richard Soeteman yes, it would probably work if MediaProtect didn't include

app.UseAuthentication()

.. not sure if it should or shouln't. So we actually have

.UseCors()

again here.. beside in prerequest pipeline.. at least it works for now.

If I exclude that your files won't be protected what is the purpose of the whole module 😉

Yes 🙂 It could just be a requirement it should be set though.. then we could handle it ourselves 🙂 Not sure the right/best solution.. anyway the workaround works 😁