Default to https for the CORS API.

Heroku uses Strict Transport Security (HSTS), which forces that all requests to *.herokuapp.com must use HSTS. However. Chrome cannot read the CORS response after a HSTS redirect due to https://crbug.com/387198. Since the request is going to be redirected to https anyway, the demo and the documentation will use https by default.
2026-05-13 15:09:25 +00:00 · 2014-08-29 19:17:52 +02:00
parent 0745b894c6
commit 4343044781
2 changed files with 3 additions and 5 deletions
--- a/README.md
+++ b/README.md
@@ -53,7 +53,7 @@ If you want to automatically enable cross-domain requests when needed, use the f
 ```javascript
 (function() {
    var cors_api_host = 'cors-anywhere.herokuapp.com';
-    var cors_api_url = (window.location.protocol === 'http:' ? 'http://' : 'https://') + cors_api_host + '/';
+    var cors_api_url = 'https://' + cors_api_host + '/';
    var slice = [].slice;
    var origin = window.location.protocol + '//' + window.location.host;
    var open = XMLHttpRequest.prototype.open;
@@ -74,8 +74,7 @@ If you're using jQuery, you can also use the following code **instead of** the p
 ```javascript
 jQuery.ajaxPrefilter(function(options) {
    if (options.crossDomain && jQuery.support.cors) {
-      options.url = (window.location.protocol === 'http:' ? 'http:' : 'https:') +
-                    '//cors-anywhere.herokuapp.com/' + options.url;
+        options.url = 'https://cors-anywhere.herokuapp.com/' + options.url;
    }
 });
 ```
--- a/demo.html
+++ b/demo.html
@@ -64,8 +64,7 @@ textarea {
 </div>

 <script>
-  var protocol = location.protocol === 'http:' ? 'http:' : 'https:';
-  var cors_api_url = protocol + '//cors-anywhere.herokuapp.com/';
+  var cors_api_url = 'https://cors-anywhere.herokuapp.com/';
  function doCORSRequest(options, printResult) {
    var x = new XMLHttpRequest();
    x.open(options.method, cors_api_url + options.url);