In production set the nginx headers as mentioned before in this thread. (setting it to wildcard ‘*’ is not secure)
If you need it for development purpose:
In frappe/frappe/app.py, in application(request) function. Place response header just before returning the response
@Request.application
def application(request):
""" ... """
response.headers['Access-Control-Allow-Origin'] = '*'
return response