answer:"New application really fast" is why browser are adding more and more cross-origin protection for loading JavaScript. (Warning: broad vulgarisation) A decade and more ago, cookies were not necessarily HTTPOnly and any JavaScript could be run from any origins. One could have a page, load an iframe with a legitimate site, and a "layer" above that iframe and capture clicks and keyboard keystrokes. Is this the kind of behavior you're thinking about?