ClonedOne ClonedOne - 9 months ago 55
Javascript Question

Same origin policy seemingly not working

I'm trying to understand the same origin policy in detail. To this end i tried to see how it worked with code (i'm a total noob in web development) so i started a Flask server and created a domain
and a subdomain
. Then in the
page of the subdomain i created an
- without modifying the
property in any way as read here.

Now from what i had read, i tought this would fail, but instead it correctly shows the content of the super domain
page. I've repeated the experiment hosting the two domains on two different physical computers but that didn't change anything. (I've tried both Firefox and Chrome)

Now i've also tried with with
and this does actually get stopped by the SOP. So at the moment i'm kind of in deep confusion, could anyone pls help me make some sense of it? Thanks.

Answer Source

IFrames are generally exempt from the same origin policy.

However, if you look at the HTTP response headers when you call, you will see the following header:


This explicitly tells your browser that it should prevent the page from being displayed across origins.

MDN describes this particular behavior:

Here are some examples of resources which may be embedded cross-origin:


  • Anything with <frame> and <iframe>. A site can use the X-Frame-Options header to prevent this form of cross-origin interaction.