A very simple and dirty example of such website is here.
The page name loaded into main one appears after the hash part of URL. Since a XHR call is made, an attacker is tempted to abuse it by inserting an external site to include its content in the context of the page:
Due to SOP (Same Origin Policy) the XHR call fails (red message in console below), which would be the expected outcome by an unwary developer.
To bypass this, it’s just a matter of allowing the request in the attacker’s side. The following PHP file, which contains a CORS header allowing the remote XHR call is enough to render the XSS payload included on it.
<?php header(“Access-Control-Allow-Origin: *”); ?>
<img src=1 onerror=alert(document.domain)>
It’s also possible to exploit this page with a simpler:
#data:text/html,<img src=1 onerror=alert(document.domain)
But unlike the CORS trick, it will not work on Microsoft browsers (access is denied).