Consider the following website. Page A (https://example.com/login) contains a login form and its password field has the attributes
id set to
Since the pages have the same web origin, the Same-Origin Policy does not restrict access between them and, from the browser’s view, the attacker’s code is loaded from the origin https://example.com. But the pages’ DOMs are not connected by any path that allows to access each other.