What happens if you use IE8/9's XDomainRequest object to make a same-origin request? Does the request succeed? If so, is it limited in the same ways as cross-origin requests?
XDomainRequest seems to always attach an Origin header to requests it sends, making it appear as if they are cross-origin, even if they are not. So, if a same-origin request is made to a server using XDomainRequest, the request will fail if the server doesn't include Access-Control-Allow-Origin among its response headers. I verified this myself just now. The ability to set headers would be part of the transport's prototype, so methods like setRequestHeader are also still missing, regardless of the ultimate destination.