Does Cross-Origin Resource Sharing(CORS) differentiate between HTTP AND HTTPS?

Question

I have two sites : https//:www.domain-only-uses-https.com and www.domain-uses-both-http-and-https.com

Now I am making 2 ajax GET requests in the page of the former to the later, one is

https://www.domain-uses-both-http-and-https.com/some-path  (using the HTTPS scheme)  

and the other one is

http://www.domain-uses-both-http-and-https.com/some-other-path (using the HTTP scheme) 

And I DID set the "https//:www.domain-only-uses-https.com" as the value of "Access-Control-Allow-Origin:" header in the server "www.domain-uses-both-http-and-https.com ".

But now it seems that only request 1 is allowed by Chrome ,but request 2 is forbidden.

So my question is : does the "Access-Control-Allow-Origin" header differentiate between HTTP AND HTTPS? Hope I've made myself clear..

Answer 1

Yes, HTTP and HTTPS origins are different.

An origin is a combination of hostname, port, and scheme.

  http://foo.example.com:8080/   ^^^^   ^^^^^^^^^^^^^^^ ^^^^    ||           ||        ||  scheme      hostname    port 

If not all of these fields match between two resources, then the resources are from different origins. Thus, you must expressly specify whether the resource is accessible from the origin with an HTTP scheme or the origin with an HTTPS scheme.

Some browsers only allow the Access-Control-Allow-Origin header to contain exactly one origin (or *) sent with each response; however, your server can detect the request's Origin header and send the same origin in the CORS response.