I am new to this thing, so there is some questions I wanted to ask after looking up bunch of site that related to CORS.

First of all, lets say i have http://domain1.com that has a ajax call to http://domain2.com, I look up on http://enable-cors.org/server.html it say that I will have to add

Access-Control-Allow-Origin: *

this response to my page header or add this setting to web.config on the root directory of my application, but I was confused, should I add the response header to domain1 or domain2 application? My guess was add to domain2, but I cannot be sure because I don't have the required things to test it.

Furthermore, what if domain2.com were in https, means I am calling from http to https, will this works?

and how about IE?

You should add it on http://domain2.com because Access-Control-Allow-Origin is permission for http://domain1.com to get information from http://domain2.com. Note that (*) symbol means that domain allows access to everyone, so you need to be careful with that. Better option would be:

Access-Control-Allow-Origin: http://domain1.com

It work fine for IE and for https:

Access-Control-Allow-Origin: http://domain1.com, https://domain1.com

Take a look for more information here.