When a website is served via HTTPS then a HERE Map is not shown. This is because JavaScript resources are loaded via HTTP, hence new browsers refuse to load "insecure content" for a "secure site".
Details
mapsjs-core.js:51 Mixed Content: The page at 'https://demo.organice.io/about/directions/?edit' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://1.base.maps.api.here.com/maptile/2.1/maptile/newest/normal.day/16/34…L_JSMv3.0.12.4&app_id=1ORPrZhy42YS0Ktrf6ZQ&app_code=OHnW8ll7OllNXLfpGd5Lng'. This request has been blocked; the content must be served over HTTPS.response.Nc.qn.arraybuffer @ mapsjs-core.js:51
mapsjs-core.js:51 XMLHttpRequest cannot load http://1.base.maps.api.here.com/maptile/2.1/maptile/newest/normal.day/16/34…L_JSMv3.0.12.4&app_id=1ORPrZhy42YS0Ktrf6ZQ&app_code=OHnW8ll7OllNXLfpGd5Lng. Failed to start loading.response.Nc.qn.arraybuffer @ mapsjs-core.js:51
Update 1 (03-Mar-2018)
When viewing https://demo.organice.io/about/directions/?edit the browser console still spits out:
No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://demo.organice.io' is therefore not allowed access. The response had HTTP status code 403.
The total console output is rather lengthy, and repeats the following pieces several times:
mapsjs-core.js:170
GET https://3.base.maps.api.here.com/maptile/2.1/maptile/7c6ed1603b/normal.day/16/34122/23064/256/png8?xnlp=CL_JSMv3.0.17.0&app_id=1ORPrZhy42YS0Ktrf6ZQ&app_code=OHnW8ll7OllNXLfpGd5Lng 403 ()
?edit:1
Failed to load https://3.base.maps.api.here.com/maptile/2.1/maptile/7c6ed1603b/normal.day/16/34122/23064/256/png8?xnlp=CL_JSMv3.0.17.0&app_id=1ORPrZhy42YS0Ktrf6ZQ&app_code=OHnW8ll7OllNXLfpGd5Lng: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'https://demo.organice.io' is therefore not allowed access. The response had HTTP status code 403.
The closing error message is:
here.js:110 Error: [timeout] https://geocoder.api.here.com/6.2/geocode.json?xnlp=CL_JSMv3.0.17.0&app_id=1ORPrZhy42YS0Ktrf6ZQ&app_code=OHnW8ll7OllNXLfpGd5Lng&searchText=Isles%20of%20Scilly%2C%20TR24%200QH%20Isles%20of%20Scilly request failed
at Object.Zc (eval at <anonymous> (mapsjs-core.js:56), <anonymous>:11:176)
at b (eval at <anonymous> (mapsjs-core.js:56), <anonymous>:9:440)
at eval (eval at <anonymous> (mapsjs-core.js:56), <anonymous>:10:43)
Maybe Worth Mentioning
The top of the errors in the browser console says:
Uncaught SyntaxError: Unexpected token <
geocode.json?xnlp=CL_JSMv3.0.17.0&app_id=1ORPrZhy42YS0Ktrf6ZQ&app_code=OHnW8ll7OllNXLfpGd5Lng&searchText=Isles of Scilly%2C TR24 0QH Isles of Scilly&jsoncallback=H.service.jsonp.handleResponse(5):1
... and a comment on StackOverflow mentions:
Note, since I just wasted half a day chasing this bug - If the server side script fails with an internal server error, the browser may interpret it as if the request wasn't allowed due to Access-Control-Allow-Origin and report this as the error.
Update 2 (04-Mar-2018)
After trying to set CORS headers using django-cors-headers the response doesn't change.
A Note on Access-Control-Allow-Origin
Note that in the CORS architecture, the ACAO header is being set by the external web service (service.example.com), not the original web application server (www.example.com). CORS allows the external web service to authorise the web application to use its services and does not control external services accessed by the web application.
Source: Wikipedia
In other words, HERE Maps needs to set the ACAO (Access-Control-Allow-Origin) header.