RESOLVED: CORS error in Cordova app when ROOT_URL is HTTP but server is HTTPS


I’m having a heck of a time getting my Cordova app to connect to its server under. I keep getting the following error in the Safari inspector no matter what my security policy is:

[Error] XMLHttpRequest cannot load[nonce]. Cross-origin redirection denied by Cross-Origin Resource Sharing policy.

Meteor is at the most current version and the boilerplate generator is working as per the fix in issue 7772.

I have the browser-policy package installed and have the following loading on startup on the server side:

Meteor.startup(function () { BrowserPolicy.content.allowSameOriginForAll(); BrowserPolicy.content.allowOriginForAll('http://meteor.local'); BrowserPolicy.content.allowOriginForAll('http://localhost'); BrowserPolicy.content.allowOriginForAll(''); BrowserPolicy.content.allowOriginForAll(''); BrowserPolicy.content.allowOriginForAll(''); BrowserPolicy.content.allowOriginForAll(''); BrowserPolicy.content.allowEval(); });

I have the following app access rules in mobile-config.js and have confirmed that they are populating in the Cordova config.xml correctly:

App.accessRule(''); App.accessRule(''); App.accessRule(''); App.accessRule('');

I’m using the most current version of mup with an autogenerated letsencrypt cert. When I connect to the app via a web browser, the connection upgrades automatically. Interestingly, though the app URL in the mup.js file is configured as https, the app is trying to connect over http.

Here’s the mup.js file:

[code]module.exports = {
servers: {
one: {
host: ‘***.**..’,
username: '
pem: ‘************’

meteor: {
docker: {
image: ‘abernix/meteord:base’
name: ‘MusiQuiz’,
path: ‘/Users/adrianquince/Feedbaq/MusiQuiz’,
servers: {
one: {}
buildOptions: {
serverOnly: true,
server: ‘
env: {
PORT: 3000,
MONGO_URL: ‘mongodb://localhost/meteor’
ssl: {
// Enables let’s encrypt (optional)
autogenerate: {
email: ‘@.**’,
domains: ‘’ // comma seperated list of domains
deployCheckWaitTime: 240,
enableUploadProgressBar: true

mongo: {
oplog: false,
port: 27017,
servers: {
one: {},

Anyone have any ideas?


You might be running into the IOS 10 compatibility problem

I installed meteor-ios10-csp-fix and I got past it.


Hi Bruce,

Thanks, but I don’t think that’s it. The patch you mentioned and issue 7772 apply the same fix to the Content Security Policy.


I have a working connection to my mobile apps. It took a while to get it working for me. Most of my issues were on how I started up the server because I wanted hot code push to work.

I looked through my settings and I noticed a couple of things:

App.accessRule('*', {'type': 'network'});

This is my access rule to connect via my local LAN. And my connection to google.
I specified the port in the rule and appended an asterisk to cover routes.

In my browser policies:


  let trusted = [

  _.each(trusted, function trustedPolicy(origin) {
    // origin = 'https://' + origin;

allowConnectOrigin from here:

BrowserPolicy.content.allowConnectOrigin(“”) allows XMLHttpRequest and WebSocket connections to

I did not have to put my server address into the allowOriginForAll


UPDATE: Finally figured out what the cause is…

Safari is throwing a CORS error because it’s not handling the HTTPS upgrade correctly.

If you’re using HTTPS on your server and using meteor build and the --server option to set the ROOT_URL for the Cordova build, make sure to set the url scheme to https:// with the following syntax:


what syntax? can you share your code?