Some web applications rely on pseudo-URLs such as about:, javascript:, or data: to create HTML documents that do not contain any server-supplied content and that are instead populated with the data constructed entirely on the client side. This approach eliminates the delay associated with the usual HTTP requests to the server and results in far more responsive user interfaces.

Unfortunately, the original vision of the same-origin policy did not account for such a use case. Specifically, a literal application of the protocol-, host-, and port-matching rules discussed in Chapter 9 would cause every about:blank document created on the client side to have a different origin from its parent page, preventing it from being ...