Mashups web 2.0 security and privacy
The same-origin policy is one of the only features of a browser which provides separation of control between different application owners, ie, an application cannot take over control of another
application for malicious purposes. For a classic example of a problem which could arise without this policy, consider a tabbed browsing environment where a user has an Internet banking application
open in one tab and a page served by a hacker in another tab. If the malicious page were able to control content and actions on the Internet banking page, it would be able to make a transfer of
funds into an arbitrary bank account even if One-Time Passwords were used by substituting a bank account number in a POST request.
On the other hand, there are important situations where the same-origin policy needs to be relaxed in order for web applications to function. POST requests are an important example of such
necessary relaxation of the same-origin policy. In order to provide enough flexibility for applications processing HTML form data, there are no built-in controls in browsers forbidding the submission of
cross-domain POST requests. On the other hand, this important design decision has led to vulnerabilities under the heading of cross-site request forgery [5.3.1.1.1.1].