I'm trying to understand the same origin policy in detail. To this end i tried to see how it worked with code (i'm a total noob in web development) so i started a Flask server and created a domain
IFrames are generally exempt from the same origin policy.
However, if you look at the HTTP response headers when you call
http://google.com, you will see the following header:
Here are some examples of resources which may be embedded cross-origin:
- Anything with
<iframe>. A site can use the
X-Frame-Optionsheader to prevent this form of cross-origin interaction.