Well first you tried to load a non SSL thing from an SSL thing
Which is normally blocked under mixed content rules.
Secondly, if you are accepting mixed content, that would suggest your CORS headers are not working as expected.
You will get more mileage with the suggested CORS middleware https://expressjs.com/en/resources/middleware/cors.html