Access-Control-Allow-Origin wihout AJAX

Question

This answer (incorrectly?) states

No, as long as the CORS Access-Control-Allow-Origin is at its default restrictive value. This prevents the outer website from accessing the framed website via Javascript/etc.

However, I was pretty sure that a framed website cannot be accessed unless it is the same domain, regardless of CORS settings:

e.g. this answer

an iFrame cannot read the contents of another iFrame unless they are on the same domain.

and this answer

Frames have scripting rights and protections granted by the Same-Origin Policy. A script executing on a parent cannot read the contents of a child iframe that is of another domain.

So my question is, if CORS is implemented, is it possible for one domain to read content from another domain without issuing an AJAX request?

e.g. in the first post

Victor can verify the contents of the HTML it retrieves and verify all referenced scripts as well.

How would this be achieved? Can it be achieved without AJAX (i.e. is it possible to read cross frame or via any mechanism in the DOM, or is it a case of one site issuing an AJAX request to the other?).

Answer 1

Cross-origin resource sharing is dangerous, and more effort has been put into locking down the SOP than technologies such as CORS which bend the rules. At the end of the day I don't want people reading my email because I'm visiting their website. (They need to earn that right with an 0-day!)

CORS is strictly a JavaScript feature. Although, I hadn't thought of it until this post, but why shouldn't CORS be used to break other SOP rules? This can be implemented in a secure way, and more importantly it would be regular.

Can a domain access another domain without Ajax and CORS? The answer is yes, after all we had a solution to this problem before CORS. Before CORS, there where two major ways that web apps broke the SOP. The first method is to use a Cross-Domain Proxy which is a server-side component to fetch inaccessible content on behalf of the client. The second method is XSS, yes people actually intentionally implemented an XSS vulnerability for the purposes of resource sharing, which is indiscriminate. As a result CORS is strongly preferred over these methods.