It is recommended to serve the preview application and CoreMedia Studio application from different origins (the origin includes protocol, host, port), as described in Section 3.3, “Basic Preview Configuration”. By separating the application origins, the browser ensures that both applications run independently in their own environment without direct access to each other (see Same-origin policy). Potential vulnerabilities in the preview application can not automatically propagate into the Studio application and vice versa.
It is highly recommended serving both, CoreMedia Studio and the embedded preview over HTTPS. The unencrypted HTTP protocol should only be used in a well separated development environment. Due to several browser constraints regarding mixed content it is highly discouraged to serve CoreMedia Studio and the embedded preview over different protocols.