Here are the settings in my config.xml:
Here is my CSP meta on my SPA's index.html:
<meta http-equiv="Content-Security-Policy" content="default-src * 'self' ws: ; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; media-src *; img-src 'self' data:">
I would greatly appreciate any advise, as if this takes me much longer to figure out I may have to work through some off days on the holidays in order to make deadline :/
One more thing to add, this error only happens on iOS. The android version of the app has never had an issue with this. The origin header is still there on the android request, but the browser passes the response through as is intended.
The issue appears to be that the iOS browser does not like 204 responses. Our API was returning a 204 No Content on our push notifications call, since there really is no content to return. We changed the API to a 200 as a work around and I was getting the response back as expected. Thankfully we have control of this API to change it, for future reference 204 returns will not work in phone gap on iOS.