CORS header ‘Access-Control-Allow-Origin’ missing

lehone · April 20, 2018, 6:02am

I am trying to GET Radiology Reports via REST from my angular application but I keep getting this error

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://radiology.librehealth.io/lh-toolkit/ws/rest/v1/radiologyreport/?status=&v=full. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Please how can resolve this? I am trying to complete https://gitlab.com/librehealth/lh-radiology/issues/42

ivange94 · April 20, 2018, 9:03am

You will get that if your angular app is a standalone app that is trying to to make REST calls to a server running on another domain. I see you are trying to access the hosted API. I will advice you setup your own radiology server and make REST calls to that server.

Isn’t this supposed to be an owa? Why does it seem like it’s a standalone web app?

ivange94 · April 20, 2018, 9:07am

Toolkit does not support CORS. So by default services out of the domain cannot access it’s API. I think there is a way to enable that from tomcat but that is by the way. In the first place you shouldn’t be having that error if you are building an owa and you have a local server setup. Your code should make REST calls to the server in which the owa is running not a remote server.

If that is an owa and you have a local radiology server running trying making the REST call to

/lh-toolkit/ws/rest/v1/radiologyreport/?status=&v=full

You don’t need to include the host and the domain. That will default to which ever domain the app is hosted on which will be the radiology/toolkit server the app is running on.

lehone · April 20, 2018, 10:32am

Yeah, it is suppose to be an OWA but I need to be testing as I am building so it becomes tedious if I have to upload the OWA each time I make changes.

ivange94 · April 20, 2018, 11:05am

Then you may need to enable cross origin from tomcat or toolkit.

sunbiz · April 20, 2018, 11:50am

Making tomcat/nginx start with CORS headers might be more work. The easiest and fastest way that I use is to close all instances of Chrome. And then start it with --user-dir --disable-web-security flags. Then it allows for cross-origin calls.

ivange94 · April 20, 2018, 12:42pm

@sunbiz I wish I knew that last year during GSoC

r0bby · April 20, 2018, 8:44pm

I will look into this later. why are you making HEAD requests @lehone?

GET, PUT, POST, PATCH, DELETE and OPTIONS works.

r0bby · April 20, 2018, 8:59pm

I just tested against toolkit and radiology – I made config changes and tested with the Polymer Login component and it worked.

r0bby · April 20, 2018, 11:35pm

As a note - if you ever need to inspect what headers are being received, curl -I is how you do it. CORS support for HEAD requests isn’t necessary.

sunbiz · April 21, 2018, 12:17am

In the recent years, I am now of the opinion that demo servers are the only deployments where we should use these headers. In real implementations, one should never add those headers even on VPN connections.

This is only an intermediate problem for the next couple of months, where we will move to OAuth for FHIR OWAs during the summer.

r0bby · April 21, 2018, 1:30am

eh – in some cases - CORS is necessary. For our use, not so much.