Dear ChimeraX team - I am writing a local, interactive tutorial (Quarto HTML) that I want drive ChimeraX via the REST remotecontrol interface. I can send commands in JavaScript, but not read responses. Quarto serves my page locally - page origin: http://localhost:5779 - ChimeraX endpoint: http://127.0.0.1:61803/run?command=... ... but if I issue in the JS console: fetch("http://127.0.0.1:61803/run?command=help") .then(r => r.text()).then(console.log).catch(console.error); I get: Console error: - CORS blocked: “No ‘Access-Control-Allow-Origin’ header is present…” - Network panel shows 200 OK, but the Fetch promise rejects with TypeError: Failed to fetch. So: Is there a supported way (or could there be) for remotecontrol rest to emit CORS headers for localhost-only clients? Something like: - Access-Control-Allow-Origin: http://localhost:5779 (or a configurable allow-list, possibly including http://127.0.0.1:*) - Access-Control-Allow-Methods: GET, POST, OPTIONS - Access-Control-Allow-Headers: Content-Type - Handling preflight OPTIONS requests (e.g. relevant for POST ) - Even an "allow only loopback origins" mode would be sufficient. Ideally, enabling CORS would be controllable at runtime from within ChimeraX (e.g., as an option to remotecontrol rest start or a subsequent ChimeraX command), so that a teaching workflow can be fully self-contained. For example, something like: • remotecontrol rest start port 61803 cors allow-origin http://localhost:* • or: remotecontrol rest cors allow-origin http://localhost:* If there’s already an option/flag for this I would be grateful for pointers. (Or perhaps I have missed a recommended pattern.) Thank you! Boris (Nb. I do understand the security implications of CORS; this use case is strictly local (loopback only), with the goal to enable processing measurements/queries in browser-based teaching material. ) -- Boris Steipe MD, PhD Professor em. Department of Biochemistry Temerty Faculty of Medicine University of Toronto