The same origin security policy of browsers - Clien/ server communication

What is it?

It is a defective security mechanism that constrains components such as objects 
and pages on a browser to connecting only with the server (domain) that delivered 
the base page.

What is this demo?

This demo shows a page contains two iframes and a div loaded from different domains:
 - the parent/top frame, say A,  (frame contian this text) is loaded from
 - the first iframe, say B,  is loaded from too
 - the second iframe, say C,  is loaded from
 - a div in A, say D,  is loaded from

There are buttons below where you can make calls to different servers.
As you can see, it is always "the same origin".

This is the parent frame A (loaded from

You can always load entire iframe from the parent, A, by changing iframe's "location.href":

but you can't change C's (an iframe loaded from a server other than attribute src:

and you can't load D (a div from coolshare) with content from server other than coolshare using AJAX:

B loaded as initially, the same as the parent frame
C loaded as initially, different from the parent frame
A div, D, in top frame A