The Cross-document Messaging API in HTML5 makes it possible for two documents to interact with each other without directly exposing the DOM. Just imagine the following scenario: Your web page has an iframe that is hosted by a different website. If you try to read some data from that iframe, the browser will be very upset and may throw a security exception. It prevents the DOM from being manipulated by a third-party document, thereby stopping potential attacks such as CSRF or cross-site scripting (XSS). But the Cross-document Messaging API never directly exposes the DOM. Instead, it lets HTML pages send messages to other documents through a message event.

The Cross-document Messaging API is useful ...