Application can script in browser in any domain's context.
vulners.com/securityvulns/securityvulns:doc:26785