How can Facebook make work external iFrames?

How can Facebook make work external iFrames? nThat's my quiestion. I have always know that for security reasons, external HTML iFrames (i.e. An iFrame with src attribute different from the actual domain root), but then I realized that Facebook iFrame applications does really work, something that really surprised me because I knew that this functionality would be available only with the HTML5 sandbox iFrame mode, and this method works even in not HTML5 compliant browser开发者_开发知识库s. Can anyone explain that to me? How can I do that?

You can have an iframe that points to another domain, that's not a problem. However, there are restrictions in terms of what scripting you can do between the domains (i.e. javascript in domain A can't talk to javascript in domain B).

Facebook gets around it by using a second hidden iframe and fragment identifiers for IE<8 (and window.postMessage I believe, for IE>=8 and other browsers). It's a fairly common technique for getting unrelated domains talking to each, here's an example I found with a quick google.