Conor Browne · Sep 21, 2017

CORS errors when requesting data from FHIR Repository with JavaScript / AJAX .

Hoping someone can help.

I had posted a similar question outside this group a while ago "Errors requesting data from local Ensemble FHIR Repository" but haven't had the chance to follow up on it since. It was suggested I re-post inside this group.

I'm trying to request data from my local FHIR repository using a simple JavaScript client and am getting the following CORS errors . ( It is a standalone client not inside HealthShare without CSP etc. on my localhost ).

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost:57773/csp/healthshare/fhirserver/fhir/Patient. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

   This is what it's doing in essence ( see below )."GET", "http://localhost:57773/csp/healthshare/fhirserver/fhir/Patient", true);
    xhttp.setRequestHeader("Content-type", "application/json+fhir");

If however I change the URL to public FHIR repo ( e.g. "" ) I get a response ( FHIR Bundle etc. )

Do I have to configure the server response headers somewhere? I have the default FHIR respository setup outlined here :


Please let me know how I can resolve this issue.



2 0 4 633


Do you understand what a Cross-Origin Resource Sharing (CORS) is?  You can allow CORS requests, but it is important that you understand what you're getting into.  That is, you need to think about it in the context of your application as it effects the accessibility of your data.  So before going too far with this, please think about what changes here might mean.  Some reading materials:

Now, you seem to have this working on one webserver and not another.  Do both webservers point to the same HealthShare instance?  

Thanks Jorge,

I'll try setting the endpoints to "Unauthenticated" for testing purposes, eventually I intend to use OAuth2 for authentication.


Hi Conor,

The issue is that HealthShare does not support CORS requests against FHIR endpoints that are secured with standard Caché authentication.  So if you look at the Network tab in your browser's developer tools, you'll see that before your browser sends the GET request to that URL, it sends an OPTIONS request to that same URL.  HealthShare responds with a 404, and what the browser actually complains about is the response missing some headers that are expected in a CORS response.

For an endpoint to support CORS, the authentication in the CSP application settings for the endpoint has to be set to "Unauthenticated".  If you're just developing or trying out FHIR, this is fine.  In production, the expectation is that this endpoint would be secured via OAuth.

Thanks, I had assumed localhost and localhost:port would be considered the same domain but they are not ( so probably the reason for the CORS errors I'm getting). The working webserver "" is a public non-healthshare repository that you can query against. It is sending back response headers that allow the query to process and return data.