Does Cross-Origin Resource Sharing(CORS) differentiate between HTTP AND HTTPS?

javascript http xmlhttprequest cors

21,588

Yes, HTTP and HTTPS origins are different.

An origin is a combination of hostname, port, and scheme.

  http://foo.example.com:8080/
  ^^^^   ^^^^^^^^^^^^^^^ ^^^^
   ||           ||        ||
 scheme      hostname    port

If not all of these fields match between two resources, then the resources are from different origins. Thus, you must expressly specify whether the resource is accessible from the origin with an HTTP scheme or the origin with an HTTPS scheme.

Some browsers only allow the Access-Control-Allow-Origin header to contain exactly one origin (or *) sent with each response; however, your server can detect the request's Origin header and send the same origin in the CORS response.

21,588

Author by

NextStep

Updated on October 24, 2020

Comments

NextStep over 3 years
I have two sites : https//:www.domain-only-uses-https.com and www.domain-uses-both-http-and-https.com

Now I am making 2 ajax GET requests in the page of the former to the later, one is
```
https://www.domain-uses-both-http-and-https.com/some-path  (using the HTTPS scheme) 
```
and the other one is
```
http://www.domain-uses-both-http-and-https.com/some-other-path (using the HTTP scheme)
```
And I DID set the "https//:www.domain-only-uses-https.com" as the value of "Access-Control-Allow-Origin:" header in the server "www.domain-uses-both-http-and-https.com ".

But now it seems that only request 1 is allowed by Chrome ,but request 2 is forbidden.

So my question is : does the "Access-Control-Allow-Origin" header differentiate between HTTP AND HTTPS? Hope I've made myself clear..