Why CORS does not work?

We have two sites and one periodically generates events and knocking js'ohms to the other. With the move to https all have gone mad. Configured everything seems right, but hard to get "OPTIONS https://www.mdapp.ru/ net::ERR_INSECURE_RESPONSE". Will not even know where to dig and what to do.

Headers that nginx gives:
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';

As request:
 type: "GET",
 url: 'https://www.mdapp.ru/',
 crossDomain: false,
 success: function (msg) {
 alert("Rolled:" + msg);

I forgot something to configure?
Thank you.
June 27th 19 at 15:26
2 answers
June 27th 19 at 15:28
www.mdapp.ru uses an invalid security certificate.
The certificate is valid only for mdapp.ru
Thank you.
C do a redirect to www and https do not care for it. That bug was. Thanks again. - Jeff commented on June 27th 19 at 15:31
June 27th 19 at 15:30
You have both sites set up?
I don't quite understand, sorry. - Jeff commented on June 27th 19 at 15:33
I see the issue has been resolved. Then I'll ask you
add_header 'Access-Control-Allow-Origin' '*';
Should be on the domain with which the request is made and the domain to which the request is made or only at the domain from which the request is made? - Jeff commented on June 27th 19 at 15:36

Find more questions by tags JavaScriptCORSNginx