What is the difference between a HTTPS Request sent via node.js module and via XMLHttpRequest?

I am trying to send a HTTPS GET request to amazon aws to get a security token from javascript (XMLHttpRequest) and it always fails with "Origin http://my_ip is not allowed by Access-Control-Allow-Origin", but if I send same HTTPS GET request via a node.js module it works fine.

I am confused of this because if server does support CORS, any request from any where should fail, but it goes through via node.js, but not via XMLHttpRequest.

This FAILS

var url_ = "https://sts.amazonaws.com/?Action=GetSessionToken" +
            "&DurationSeconds=3600" +
            "&AWSAccessKeyId=XXXXXXXXXXXXXXX" +
            "&Version=2011-06-15" +
            "&Timestamp=" + encode(timestamp) +
            "&Signature=" + encode(hash) +
            "&SignatureVersion=2&SignatureMethod=HmacSHA256";

// Simple GET request
$.get(url_, function(data) {
    alert("response: " + data);
});

This WORKS

var https = require('https');
var options = {
    host    : 'sts.amazonaws.com',
    method  : 'GET',
    path    : '/?Action=GetSessionToken' +
              '&DurationSeconds=3600' +
              '&AWSAccessKeyId=XXXXXXXXXXXXXX' +
              '&Version=2011-06-15' +
              '&' + timestamp +
              '&' + signature +
              '&SignatureVersion=2&SignatureMethod=HmacSHA256'
};

https.get(options, function(res) {
    res.on('data', function(d) {
        process.stdout.write(d);
    });    
}).on('error', function(e) {
    console.error(e);
});

Can anyone explain me how this works?

The browser is constrained by the Same Origin Policy. Node.js is not.

That is, a browser will let scripts make HTTP requests via XHR only to sites in the same domain as that of the page that loaded the script. Node.js, however, will allow HTTP requests to any domain.

(The browser story is slightly more involved now with CORS, but it's still the basic issue here.)

edit — to elaborate, now that I've re-read your question: CORS is a cooperative protocol. A server on the Internet will serve content to anybody, generally; that's the whole point of running a web server. CORS has nothing to do with HTTP requests unless the requestor asks about it. If you have URL "http://x.y.z/something", and you type that into your browser's address bar, then the browser will unhesitatingly issue the HTTP request to that site. The Same Origin Policy (and CORS) only comes into play when some code in a page from a site in another domain (not "x.y.z") attempts to run an HTTP request via XHR. In that case, the browser asks the "x.y.z" site about access; the default answer is "no", but that's the browser imposing that rule, not the server.