Enable CORS

Fernando_Jose_Serran · July 29, 2015, 5:21pm

Is there any way to enable CORS in default orthanc installation to prevent “No Access-Control-Allow-Origin” errors while making a request from another domain? Or should it be included in a setup with apache or nginx to do that?

jodogne · July 29, 2015, 5:25pm

CORS is not available inside Orthanc. You have 2 possibilities:

Put Orthanc behind Apache/nginx using reverse proxying (cf. https://code.google.com/p/orthanc/wiki/FAQ ).
Use the official “ServeFolders” plugin to serve your JavaScript/HTML/CSS/… resources (cf. https://goo.gl/QcVypZ ).

Sébastien-

Fernando_Jose_Serran · July 30, 2015, 4:15pm

I’ve just updated my vagrant box (https://github.com/fernandojsg/vagrant-orthanc) to include a nginx as proxy with CORS enabled, so you can query orthanc without problem using the nginx’s port (By default I’ve mapped 80 → 8043 to avoid collision with host machine).

By the way, I think could be nice to update the documentation to include the nginx configuration in case someone could need it, as it’s quite usual than the PACS is on a different server from the other webapps.

Right now you have:

server{
listen 80 default_server;
…
location /orthanc/ {
proxy_pass http://localhost:8042;
proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
rewrite /orthanc(.*) $1 break;
}
…
}

And adding CORS it could be:

server{
listen 80 default_server;
…
location /orthanc/ {
proxy_pass http://localhost:8042;
proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
rewrite /orthanc(.) $1 break;
add_header ‘Access-Control-Allow-Credentials’ ‘true’; add_header ‘Access-Control-Allow-Headers’ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type’; add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, OPTIONS’; add_header ‘Access-Control-Allow-Origin’ '';
}
…
}

Also you could include a FAQ question regarding CORS, something like How can I enable CORS? And add the link to http://enable-cors.org

Regards

jodogne · July 31, 2015, 7:15am

Dear Fernando,

Thanks for this very useful information!

I have just added it to the FAQ:
https://code.google.com/p/orthanc/wiki/FAQ#How_can_I_enable_CORS_with_nginx?

Sébastien-

TheRightDoctors_Deve · December 8, 2018, 3:11pm

We have added those lines to our nginx server to configure the Orthanc server, but still the post request is giving the same error. Here we are trying to post a .dcm file to an orthanc server which is running behind an nginx server.

Ankit_Arora · December 10, 2018, 5:10am

hi, the one posted on Official Orthanc Book will not work.

Use this in nginx Configuration

server {
listen 4200 default;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
add_header ‘Access-Control-Allow-Origin’ “*”;
add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, OPTIONS’;
add_header “Access-Control-Allow-Headers” “Authorization, Origin, X-Requested-With, Content-Type, Accept”;
proxy_pass http: //127.0.0.1:8080/;
}
}

You need to add reverse proxy here. consider 8080 as your orthanc port and 4200 as an open. If you setup this in correct way then all request for 4200 will be forwarded to 8080 bypassing the CORS error.

jodogne · December 10, 2018, 7:59am

Hello,

If the information in the Orthanc Book is incorrect, please could you contribute to the project by telling how to fix the dedicated section? TIA!
http://book.orthanc-server.com/faq/nginx.html#enabling-cors

Regards,
Sébastien-

Thibault_Nelis · December 10, 2018, 9:33am

Obligatory warning: Please understand the consequences of doing this
before doing it. The single-origin policy is especially relevant for
Orthanc's API.

In short: If you don't otherwise secure access to the Orthanc
resources, visiting a link with a web browser on any website could
trigger arbitrary operations like deletions on the Orthanc server, even
if that Orthanc server is in a private network and so long as the web
browser has access to it.

Ankit_Arora · December 11, 2018, 4:26am

Yes you are correct, but I dont have any other solution to do the same, I would be grateful if you could share any other solution for removing this CORS error.

jodogne · December 11, 2018, 7:46am

The clean way to use Orthanc from a Web application, is to make Orthanc run on an Intranet server (not publicly accessible), and create an Web applicative gateway that is built on the top of the REST API of Orthanc (using e.g. PHP+curl, Node.js, Java, Python…). CORS is a trick to make it work if you don’t have full control over your architecture, or if you want quick deployments.

In either case, your question is generic, and not particular to Orthanc.

Please use another forum to discuss possible architectures for Web applications.

Francisco_Maria_Cali · July 27, 2020, 3:11pm

Dear Orthanc Community,

I am facing a real strange issue concerning CORS. In the past, I had my nginx configurations to enable the communication between a web viewer based in CornerstoneJS and Orthanc. During this pandemic phase, we change our servers and I tried to replicate the old configurations. Unfortunately, in a less successful way. My configurations are as follows.

Web Viewer:

http://foo.com:8586/src/public/index.html

Orthanc Server:

http://foo.com:8551/app/explorer.html

Nginx Configurations:

server {
listen 8451 default_server;
location / {
client_max_body_size 128M;
proxy_pass http://localhost:8551;
proxy_set_header HOST $host;
proxy_set_header X-Real-IP $remote_addr;
rewrite /orthanc(.) $1 break;
add_header ‘Access-Control-Allow-Credentials’ ‘true’;
add_header ‘Access-Control-Allow-Headers’ ‘DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type’;
add_header ‘Access-Control-Allow-Methods’ ‘GET, POST, OPTIONS’;
add_header ‘Access-Control-Allow-Origin’ '';
}
}

The web viewer (http://foo.com:8586/src/public/index.html) is reading from the 8451 port but still, we have the following error:

Access to XMLHttpRequest at ‘http://foo.com:8451/patients?expand&_=1595861396855’ from origin ‘http://foo.com:8586’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

What am I missing?

Best regards,

Francisco Maria Calisto

Benjamin_Golinvaux2 · July 28, 2020, 8:10am

Hello Fransisco,

Your reverse proxy seems to listen on 8451 yet you are opening the web viewer URL on 8586? What is the purpose of the 8586 port?

I must have missed something but why don’t you serve everything through the reverse proxy to avoid this error?

Or, most probably, there is something in your nginx conf file that is not posted here.

Francisco_Maria_Cali · July 28, 2020, 9:17am

First of all, thank you for your answer. The port 8586 is serving our web viewer, a CornerstoneJS based solution that we have to manipulate the medical images and to inform radiologists. On the other hand, the Orthanc server is served at the port of 8551 and listens at the port 8451.

There are no errors and things are working if I turn on the CORS application on my Chrome browser. But I would like to have a more automatic way (e.g., nginx). Unfortunately, I am not achieving it. Which is strange, since in the past I have the things working on an older physical server.