If the player accesses another domain, for example, loads HLS manifest, subtitle or playlist, cross-domain restrictions apply. You need confirmation that this document can be downloaded from another's domain. For this purpose CORS was invented - the technology of cross-domain permissions.
In PHP this is done by calling the header function:
<?php header("Access-Control-Allow-Origin: http://example.com"); ?>
On enable-cors.org you can find instructions for other server technologies.
More information about CORS can be found here.
If the player can't load a document, look at the messages in the browser console (In Chrome it can be found in More Tools > Developer Tools) — there will be detailed information.
While working in security mode (HTTPS), all files must be downloaded using the same protocol.