Adding the force-ssl package to Meteor project already using appcache

I have a Meteor project which is using the appcache package to keep a cache of the Meteor app in the browser. Now I have purchased an SSL certificate and would like to start forcing users to connect to the https:// address for the site. So I add the force-ssl package. However, when a user goes to http://example.com the cached version of the Meteor app loads, it gets the cache-update notice, and attempts to start downloading the new version of the app. So the http:// site is now trying to request resources from the https:// site and the browser blocks this because of CORS issues.

I've played with the force-ssl package a bit, even tried to set some headers:

var host = url.parse(Meteor.absoluteUrl()).hostname;
res.setHeader('access-control-allow-origin', 'http://' + host);
res.setHeader('access-control-allow-credentials', 'true');
res.setHeader('access-control-allow-methods', 'POST, GET, OPTIONS');

But I am still seeing CORS errors like these:

GET https://www.example.com/sockjs/881/y6to3ysz/xhr 405 (Method Not Allowed) 

Anyone know how to set the headers properly so that the update can go through from the https:// to the http:// site? I'm going down the rabbit hole on setting socksjs headers etc and figured maybe someone has already done this and might save me some time.