This webpage explores what is and what is not allowed by SOP when JavaScript in a webpage tries to access and possibly modify other parts of that webpage. As the name suggest, content (incl. JavaScript code) from some origin is only allowed to access resources that come from the same origin.

Access this page via HTTP, otherwise the mixed-content protection of the browser will stop the HTTP iframe included below from loading. Or look at HTTPS variant of this demo.

Click ANYWHERE IN THIS SENTENCE to change the frame.

And click ANYWHERE IN THIS SENTENCE TO change it back.

Accessing the JavaScript functions of the inner frame is only allowed if it comes from the same origin.