Recap of the issue
I have a JavaScript-powered HTML course interface residing in our learning management system at domain A. For the purposes of this post, let’s call this domainmyLMS.com.
The course interface loads content stored on a website at domain B, which is a completely unrelated website and not a subdomain of domain A. Let’s call this sitecontent.org.
The interface loads the external content into an iframe; this content includes course activities that must send a completion notice to the interface.
Since the content is from an external domain, JavaScript communication between the iframe and the parent frame is explicitly forbidden, meaning the content can never send the completion notice to the parent frame.
Example scenario
The interface at myLMS.com loads a JavaScript-powered quiz question from content.org into the iframe.
The user is not supposed to be allowed to move forward until the question is answered; this means the interface must disallow forward progress until it gets a completion notice (via JavaScript) from the quiz question.
Since the quiz question is loaded into an iframe and is not from the same domain as the parent frame, it is not allowed to interact with the parent frame and can’t use JavaScript to communicate with the course interface. This means the completion notice can’t be sent to the course interface, and the learner can’t move forward.
Reference: http://pipwerks.com/2008/11/30/iframes-and-cross-domain-security-part-2/