Does the CORS asteriks / wildcard include both encrypted and unencrypted origins?

Does the CORS asteriks / wildcard include both encrypted and unencrypted origins?

Does the CORS asteriks / wildcard (*) include both encrypted (https) and unencrypted origins (http)? And is the null origin (i.e., when a local file is doing a xmlhttprequest, or within an iframe with sandbox attribute) regarded as http?