Transom Server setup overview
ffmpeg.wasm needs SharedArrayBuffer, which browsers only expose in a cross-origin isolated context. For most installs, the plugin handles this on its own. No server config required.
Single-site installs
Section titled “Single-site installs”The plugin injects Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Embedder-Policy: credentialless on CP responses via PHP, scoped to CP requests. The front-end is untouched.
In a single-site install, Craft’s Live Preview loads from the same domain as the CP, so the browser treats it as same-origin. Nothing else to configure.
Multisite installs
Section titled “Multisite installs”In a multisite install, each site usually runs on its own subdomain (foods.example.com, foodservice.example.com, etc.). When Live Preview opens, the preview iframe loads from a different origin than the CP.
A browser running a COEP-enabled page will block cross-origin iframes unless the iframe’s response also carries COEP. So the front-end needs to send:
Cross-Origin-Embedder-Policy: credentiallessCOEP alone, without COOP, does not make the front-end cross-origin isolated, so Live Preview still works.
Third-party iframes (YouTube, Vimeo)
Section titled “Third-party iframes (YouTube, Vimeo)”Once the front-end has COEP, any cross-origin <iframe> that doesn’t send its own COEP header (YouTube, Vimeo, most embeds) needs the credentialless HTML attribute to load:
<iframe src="https://www.youtube-nocookie.com/embed/..." credentialless></iframe>The attribute tells the browser to load that iframe without credentials, bypassing the COEP check for that element. Fine for background and autoplay embeds where the user’s login state is irrelevant.
Setup guides
Section titled “Setup guides”- DDEV — local multisite development
- Forge / nginx — production
- Cloudflare — if you proxy through Cloudflare