I don't understand why, but my CORS call is not working.

I added the meta tag to index.html

<meta http-equiv="Content-Security-Policy" content="default-src *; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'">

my android manifest has:

 <uses-permission android:name="android.permission.INTERNET" />

the headers of my call are :

Access-Control-Allow-Headers → Content-Type
Access-Control-Allow-Methods → GET,PUT,POST,DELETE
Access-Control-Allow-Origin → *

In my config.xml i have

 <access origin="*" />
 <plugin name="cordova-plugin-whitelist" version="1" />

and my code is

 var request = new XMLHttpRequest();
 request.open("GET", "http://XXXXXXXXXX/XXXXX", true);
console.log("test");
request.onreadystatechange = function () {
   console.log("DOES NOT COME HERE?")
    if (request.readyState == 4) {
        if (request.status == 200 || request.status == 0) {
            alert(code);
            var product = JSON.parse(request.responseText);
            alert(product.CNK);
        }
    }

"DOES NOT COME HERE" doesn't get printed, also no error printed in the log? I really don't know what I'm doing wrong :(

OK the solution was so stupid, I searched way to long for this

var request = new XMLHttpRequest();
request.open("GET", "http://XXXXXXXXXX/XXXXX", true);
console.log("test");
request.send()
request.onreadystatechange = function () {
console.log("DOES NOT COME HERE?")
if (request.readyState == 4) {
    if (request.status == 200 || request.status == 0) {
        alert(code);
        var product = JSON.parse(request.responseText);
        alert(product.CNK);
    }
}

As you see I added request.send() :)