For me, turns out I was setting Access-Control-Allow-Origin response header to a specific (and the correct) host.com but it had to be returned as http://host.com .