CORS - cross domain POST to HTTP from HTTPS

Question

I am trying to use an XmlHTTPRequest POST from a page loaded from HTTPS to a different domain using an HTTP url. The HTTP server is a local (in home) server and so it cannot be HTTPS. (This is a prototype/demo - the home HTTP server would likely be in a set top box). My server returns:

'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Methods' : 'GET, POST, PUT, DELETE, OPTIONS'

When I post, it appears that the browser has cancelled the request. I see this warning in the console:

The page at 'https://xxx.html' was loaded over HTTPS, but displayed insecure content from 'http://localhost:10293/yyy': this content should also be loaded over HTTPS.

Is there a way to make this work?

The very interesting thing about this is that I can send a DELETE to the HTTP server, and it works, just not the POST! (The server handles the 'OPTION' request, and returns the above 'Access' headers. The DELETE also causes the warning to spit out, but the request is sent, unlike the POST, where the request was cancelled by the browser.

The server is a basic node.js server.

Answer 1

I was able to make this work by handling the OPTIONS request in my HTTP server:

    response.writeHead(200, {
        'Content-Type': 'text/html', 
        'Access-Control-Allow-Origin': '*', 
        'Access-Control-Allow-Methods' : 'GET, POST, PUT, DELETE, OPTIONS'
    });
    response.end();

The issue with only the POST failing was a red herring - I forget the exact circumstances now, my comment above says something about a setTimeout immediately following the POST. Not sure, but it is now working.