The same origin security policy of browsers - Clien/ server communication


What is it?

It is a defective security mechanism that constrains components such as objects 
and pages on a browser to connecting only with the server (domain) that delivered 
the base page.

What is this demo?

This demo shows a page contains two iframes and a div loaded from different domains:
 - the parent/top frame, say A,  (frame contian this text) is loaded from coolshare.com
 - the first iframe, say B,  is loaded from coolshare.com too
 - the second iframe, say C,  is loaded from markqian.com
 - a div in A, say D,  is loaded from coolshare.com

There are buttons below where you can make calls to different servers.
As you can see, it is always "the same origin".

This is the parent frame A (loaded from Coolshare.com)

You can always load entire iframe from the parent, A, by changing iframe's "location.href":


but you can't change C's (an iframe loaded from a server other than coolshare.com) attribute src:


and you can't load D (a div from coolshare) with content from server other than coolshare using AJAX:





B loaded as http://www.coolshare.com/html/downld_p.htm initially, the same as the parent frame
C loaded as http://markqian.com/RemoteScriptGuru/html/dynamic_script/load_test3.html initially, different from the parent frame
A div, D, in top frame A