1) Does same-origin policy protect against an XSS attack? Why or why not?

2) Does setting the secure flag (https only) on a cookie protect against a CSRF attack? Why or why not?