Ah, sounds like you have the same problem as posted here.
I’m not sure that Cross Origin headers are going to solve this for you - they didn’t in my testing. As I posted over in the other reply, I got around the browser’s mixed content objections by running an nginx reverse proxy which listens on a port with https enabled and forwards connections to the bot. I used the bitnami/nginx docker image for this (As a side note, I also have this nginx container serve assets like images/js/css for the bot itself.)
There will be something in the first link I sent you about nginx proxying with ssl, failing that, there are lots of online configs on google and walkthroughs on youtube. Look at several and consider how this can work in to your architecture.
As I said in the other thread, there may be other ways to solve this issue, but using nginx as a https <-> http proxy for the bot is the only way I have done it.