Any way to use MPR functionality without HTTPS?

Is there any way to use MPR functionality without HTTPS ie over plain HTTP ? When MPR mode is activated over a HTTP connection it fails due to SharedArrayBuffer related errors.

Any help would be greatly appreciated.

If you run a local dev OHIF server using say yarn start, MPR works fine and this is an http environment.

So I suspect the problem is more related SharedArrayBuffer and its security requirements (see this MDN article). The OHIF server/site requires those headers (see also .webpack\webpack.base.js in the OHIF codebase how this is done for the local dev server).

I hope this helps.

so its not possible to use MPR functionality over the internet(as its a non-local enviroment) without Https…correct?

To clarify, I suspect the problem you are seeing with MPR has NOTHING to do with HTTP v.s. HTTPS. I suspect it is related to SharedArrayBuffer and its security requirements (see my previous message).

Notice that the following link to the OHIF Viewer is https and launches directly into MPR and it works just fine. Again the problem is NOT HTTP vs HTTPS.

Correction, please see…

Im just a bit confused…

if the same link that you provided was over http instead of https would MPR stillwork as MPR seems to use SharedArrayBuffer functionality?

Yes it would still work as long as the headers are set correctly for SharedArrayBuffer.

Apologies. I was mistaken. It does require HTTPS.

Thanks for all your help. Below is my Nginx config file…would you be willing to take a look at it and see what Im doing wrong?

worker_processes  5;

events {
    worker_connections  4096;

http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    proxy_connect_timeout 3200s;
	proxy_read_timeout 3000s;
    #gzip  on;

    server    {
        listen 8099;
        server_name default_server;
		location / {
			try_files $uri $uri/ /index.html;
			add_header 'Access-Control-Allow-Credentials' 'true';
            add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
            add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
            add_header 'Access-Control-Allow-Origin' '*';
			add_header 'Cross-Origin-Embedder-Policy' 'require-corp';
			add_header 'Cross-Origin-Opener-Policy' 'same-origin';
			add_header 'Cross-Origin-Resource-Policy' 'same-origin';
        location /orthanc/{
            proxy_pass http://localhost:8042;
            proxy_set_header Authorization "Basic YWxuYXNhcnBhY3M6YWxuYXNhcnBhYzc=";
            proxy_set_header HOST $Host:8099/orthanc/;
            proxy_set_header X-Real-IP $remote_addr;

            rewrite /orthanc(.*) $1 break;


  1. Enter in the address bar of Chrome browser chrome://flags/ Then press the Enter key.

  2. Enter SharedArrayBuffer in the search bar

  3. Under the “SharedArrayBuffer” option, select “Enable”.

Restart the browser.

Apologies for not replying sooner.

That nginx file looks fine. However, is it the nginx file for your OHIF docker image/container? If not, then be sure to update the nginx file for OHIF too. There is a sample nginx config file in .docker\Viewer-v3.x\default.conf.template (I have included it below as well) It is used to create a OHIF docker image/container when following these instructions: Docker | OHIF.

server {
  listen ${PORT};
  location / {
    root   /usr/share/nginx/html;
    index  index.html index.htm;
    try_files $uri $uri/ /index.html;
    add_header Cross-Origin-Opener-Policy same-origin;
    add_header Cross-Origin-Embedder-Policy require-corp;
    add_header Cross-Origin-Resource-Policy same-origin;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
  error_page   500 502 503 504  /50x.html;
  location = /50x.html {
    root   /usr/share/nginx/html;

Recall that the Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy are key.

Hope this helps.

1 Like