Do cross-domain policies restrict downloading from different protocols for the same domain?

Question

Cross-domain policies restricts downloading content from another domain:

  http://mysiteA.com   <--NO-->   http://myothersite.com

But is downloading from the same domain via a different protocol allowed and would it work (can someone test) in everyday web browsers?

  http://mysite.com    <--?-->    https://mysite.com

Answer 1

So you're confused. This is not XSS, but cross domain access - XSS is a security vulnerability where you are echoing user input back into an HTML page without encoding it.

What you are asking about is cross domain access, presumably from Ajax, but perhaps from Silverlight or Flash.

If this is so the answer is no, because the protocol is different, one site has HTTP, one site has HTTPS. You can only access resources where the protocol, the domain name, and the network port ALL match.

Answer 2

Yes (to the question in the title), per wikipedia's explanation of "same-origin policy":

The term "origin" is defined using the domain name, application layer protocol, and (in most browsers) TCP port of the HTML document running the script. Two resources are considered to be of the same origin if and only if all these values are exactly the same.

so http://foo.bar and https://foo.bar are not "same origin", for example.