HTTPS Issues with Express.js Hosting on Tor Network: Static Files Blocked Due to Same-Origin Policy

I am developing a website using the express framework with nodejs for school to learn about cybersecurity/encryption, i wanted to host my website over the Tor network for extra security / for fun. My server code uses these libraries:

const express = require('express');const http = require('http');const WebSocket = require('ws');const path = require('path');const helmet = require('helmet');const crypto = require('crypto');const rateLimit = require('express-rate-limit');const fs = require('fs'); // for logging into a fileconst cors = require('cors');

The website runs perfectly on the host OS over localhost: 3000 yet when i deploy in my Linux distro it has trouble finding my scripts as specified in my html:

<link rel="stylesheet" type="text/css" href="style1.css"/> <script type="module" src="script1.js"></script>

In the Tor dev tools i can see Tor attempting and failing to GET my script1.js and style1.css as it makes the calls using https. Even when I hardcode the html to call the onion address with http.

<scripttype="module"src="http://vhw4esgaun7zckw4kstkrzfhischtxvyefyzitcvtejm6suny7d9l7yd.onion/script1.js"></script>

This is how i start my server:

const app = express();app.use(cors()); const server = http.createServer(app);

And I get this error upon starting, my site will only display html with no styles or scripts:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://vhw4esgaun7zckw4kstkrzfhischtxvyefyzitcvtejm6suny7d9l7yd.onion/script1.js. (Reason: CORS request did not succeed). Status code: (null).

I have https only mode off on the Tor browser while testing, in helmet I have hsts on False and when i go straight to http:// vhw4esgaun7zckw4kstkrzfhischtxvyefyzitcvtejm6suny7d9l7yd.onion/script1.js it shows my code properly with no error. On the other hand when i go to https:// vhw4esgaun7zckw4kstkrzfhischtxvyefyzitcvtejm6suny7d9l7yd.onion/script1 it never loads as I'm not using https. Sorry if the answer is obvious I am very new to web development just trying to understand encryption and cybersecurity better through a project. Feel free to ask questions!

I tried calling my static files with hardcoded http, still called using https. Added the cors module and allowed all origins error persisted. Allowed all in my csp using helmet, error persisted. Ran out of ideas on what to do.