javascript - Is cross domain request possible? -

javascript - Is cross domain request possible? -

in next code when press submit, iframe loaded url mentioned in textbox. not violation of not allowing cross domain request ? using mozilla 14.0.

<!doctype html> <head> <script> function myfunction() { document.getelementbyid("site").src=document.getelementbyid("web").value; } </script> </head> <body> <input id="web" type="text" name="user"> <input type="submit" value="submit" onclick="myfunction()"> <br/> <iframe id="site" src="" width="1200" height="1200"></iframe> </body> </html>

no, it's not violation, it's valid.

the same origin policy prevents access methods , properties across pages on different domains. prevents modifying included webpage. not prevent including whole (and interact in limited way).

basically, policy prevents website pose user on website b.

example

imagine youvisit bank business relationship (bank.com). when log in, bank website generates "user environment" you, giving access restricted content. also, enables create modifications bank business relationship through http requests (either form submission or ajax request).

the website trusts because you've proved , trust website because know intents , purposes, no 1 can interact bank website while you're in secured environment.

now imagine visit malicious website on tab (evilweb.com) has iframe bank website. without policy, evilweb.com pose you, gaining access restricted area, reading dom info (bank business relationship number, etc...) , interact it, clicking in transfer funds button , cleaning bank account. iframe hidden.

however, nil prevents evilweb.com "downloading" the public contents of bank.com, same way nil prevents me accessing public website if don't posses access credentials.

so... posing user different making request

so, basically, evilweb.com can create requests straight bank.com, cannot piggyback on , create requests on behalf.

javascript html cross-domain