Zach - Thats wonderful news. Thank you kindly, and happy holidays! Boris
On Dec 18, 2025, at 19:10, Zach Pearson <z.pearson9@gmail.com> wrote:
Hi Boris,
I have added an option to the rest_server bundle that will let you configure the server to emit CORS headers for localhost-only clients as you requested. This is a sensible change. In tomorrow’s daily build you should be able to type ‘remotecontrol rest start cors true’ and get your tutorial working.
— Zach
On 18 Dec 2025, at 08:57, Boris Steipe via ChimeraX-users <chimerax-users@cgl.ucsf.edu> wrote:
Dear ChimeraX team -
I am writing a local, interactive tutorial (Quarto HTML) that I want drive ChimeraX via the REST remotecontrol interface. I can send commands in JavaScript, but not read responses.
Quarto serves my page locally - page origin: http://localhost:5779 - ChimeraX endpoint: http://127.0.0.1:61803/run?command=...
... but if I issue in the JS console: fetch("http://127.0.0.1:61803/run?command=help") .then(r => r.text()).then(console.log).catch(console.error);
I get: Console error: - CORS blocked: “No ‘Access-Control-Allow-Origin’ header is present…” - Network panel shows 200 OK, but the Fetch promise rejects with TypeError: Failed to fetch.
So: Is there a supported way (or could there be) for remotecontrol rest to emit CORS headers for localhost-only clients? Something like: - Access-Control-Allow-Origin: http://localhost:5779 (or a configurable allow-list, possibly including http://127.0.0.1/) - Access-Control-Allow-Methods: GET, POST, OPTIONS - Access-Control-Allow-Headers: Content-Type - Handling preflight OPTIONS requests (e.g. relevant for POST ) - Even an "allow only loopback origins" mode would be sufficient.
Ideally, enabling CORS would be controllable at runtime from within ChimeraX (e.g., as an option to remotecontrol rest start or a subsequent ChimeraX command), so that a teaching workflow can be fully self-contained. For example, something like: • remotecontrol rest start port 61803 cors allow-origin http://localhost:* • or: remotecontrol rest cors allow-origin http://localhost:*
If there’s already an option/flag for this I would be grateful for pointers. (Or perhaps I have missed a recommended pattern.)
Thank you! Boris
(Nb. I do understand the security implications of CORS; this use case is strictly local (loopback only), with the goal to enable processing measurements/queries in browser-based teaching material. )
-- Boris Steipe MD, PhD
Professor em. Department of Biochemistry Temerty Faculty of Medicine University of Toronto
_______________________________________________ ChimeraX-users mailing list -- chimerax-users@cgl.ucsf.edu To unsubscribe send an email to chimerax-users-leave@cgl.ucsf.edu Archives: https://mail.cgl.ucsf.edu/mailman/archives/list/chimerax-users@cgl.ucsf.edu/