Julien Couvreur has a blog post entitled Cross-document messaging hack where he writes
The Dojo and Windows Live Platform teams have both recently released DHTML hacks that allow two iframes in different domains to communicate, bypassing the notorious same-domain policy implemented in browsers. I'm surprised by the relative lack of response in the AJAX blogosphere, as this opens lots of possibilities for mashups. The basics:The hack relies on dynamically created iframes, using the fragment identifier to leak/communicate information to the other domain and timers to check for iframe changes. For example, if you have page A containing an iframe B in a different domain, then B can create a new iframe and load it with a url in the same domain as A. The url that is loaded doesn't generate a request to the server if it is properly cached and only the fragment identifier is used to pass changing information. Page A can now get the DOM handle on the new iframe and successfully retrieve the information transmitted in the url by B. Although the hack goes around the same domain policy, you should realize that it does not constitute a significant security threat, as it requires both frames to cooperate. Additionally, this mechanism allows for control of which domains can work together....The applications:...Windows Live goes into a more specific proof of concept, with the Windows Live Contacts Gadget, an embeddable contact picker. It explores the problem of cross-domain interactions deeper than the Dojo work, specifically around authentication, access control and privacy.
The Dojo and Windows Live Platform teams have both recently released DHTML hacks that allow two iframes in different domains to communicate, bypassing the notorious same-domain policy implemented in browsers. I'm surprised by the relative lack of response in the AJAX blogosphere, as this opens lots of possibilities for mashups.
For example, if you have page A containing an iframe B in a different domain, then B can create a new iframe and load it with a url in the same domain as A. The url that is loaded doesn't generate a request to the server if it is properly cached and only the fragment identifier is used to pass changing information. Page A can now get the DOM handle on the new iframe and successfully retrieve the information transmitted in the url by B.
Although the hack goes around the same domain policy, you should realize that it does not constitute a significant security threat, as it requires both frames to cooperate. Additionally, this mechanism allows for control of which domains can work together....The applications:...Windows Live goes into a more specific proof of concept, with the Windows Live Contacts Gadget, an embeddable contact picker. It explores the problem of cross-domain interactions deeper than the Dojo work, specifically around authentication, access control and privacy.
Like Julien, I'm surprised that there hasn't been more discussion about this technique in the AJAX blogs. I first learned about this technique from Yaron Goland while he was working with Danny Thorpe and others on the Windows Live Contacts Gadget. With this technique I can embed a widget gadget hosted on my domain on a page from another domain and then later on exchange data or otherwise communicate between the widget gadget and the hosting page.
This is how the Windows Live Contacts Gadget allows you to embed a control that opens a portal to a user's Hotmail address book and then communicates the contacts the user has picked back to the hosting page. It's a really sweet hack.