Load data via IFRAME
to dribble CORS when there is no possibility of a JSONP, it is a light solution. In the specification browsers should block this type of feature by allowing only the site containing the JavaScript to send via postMessage
and interpret messages sent to it separately.
If this is not the case, you are exploiting a security flaw that some browsers may have, so the tendency is for these faults to be suppressed and your system to stop working. Whether it's a browser update, security or anti-virus plug-ins integrated with the client browser.
A suitable solution to give information from another site that does not have this data directly from client to client, is to use a server to do a tunneling, how it works:
Your client makes a request to your server
Your server modifies the request by including data such as API_KEY, cookies, etc. needed to communicate with the target webservice
It sends and captures webservice response
Treat the response and send the data back to your client either raw or processed
The service can be expanded to a webservice without problem, as long as your server handles the data correctly to send to the site that holds the desired information.