CORS header ‘Access-Control-Allow-Origin’ missing

I am trying to GET Radiology Reports via REST from my angular application but I keep getting this error

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Please how can resolve this? I am trying to complete

You will get that if your angular app is a standalone app that is trying to to make REST calls to a server running on another domain. I see you are trying to access the hosted API. I will advice you setup your own radiology server and make REST calls to that server.

Isn’t this supposed to be an owa? Why does it seem like it’s a standalone web app?

Toolkit does not support CORS. So by default services out of the domain cannot access it’s API. I think there is a way to enable that from tomcat but that is by the way. In the first place you shouldn’t be having that error if you are building an owa and you have a local server setup. Your code should make REST calls to the server in which the owa is running not a remote server.

If that is an owa and you have a local radiology server running trying making the REST call to


You don’t need to include the host and the domain. That will default to which ever domain the app is hosted on which will be the radiology/toolkit server the app is running on.

Yeah, it is suppose to be an OWA but I need to be testing as I am building so it becomes tedious if I have to upload the OWA each time I make changes.

Then you may need to enable cross origin from tomcat or toolkit.

Making tomcat/nginx start with CORS headers might be more work. The easiest and fastest way that I use is to close all instances of Chrome. And then start it with --user-dir --disable-web-security flags. Then it allows for cross-origin calls.

1 Like

@sunbiz I wish I knew that last year during GSoC :joy:

I will look into this later. why are you making HEAD requests @lehone?


I just tested against toolkit and radiology – I made config changes and tested with the Polymer Login component and it worked.

1 Like

As a note - if you ever need to inspect what headers are being received, curl -I is how you do it. CORS support for HEAD requests isn’t necessary.

In the recent years, I am now of the opinion that demo servers are the only deployments where we should use these headers. In real implementations, one should never add those headers even on VPN connections.

This is only an intermediate problem for the next couple of months, where we will move to OAuth for FHIR OWAs during the summer.

eh – in some cases - CORS is necessary. For our use, not so much.