Yes you have to enable it. You have to send CORS allow headers from server side to your browser. This is because a subdomain counts as a different origin. You probably have to allow HTTP methods like PUT, DELETE, OPTIONS as well. At least I guess angular sends that kind of requests too. You have to handle preflight requests (OPTIONS) by these new methods.