Although I'd like to see a certain Norwegian browser crossing borders and domains to make progress all over the world, I'm not at all pleased when the scripting authors that made the website of the new "Norwegian" airline try to show us the way with cross-domain scripting.
Why doesn't your trusty browser want to allow this? After all, the Norwegian.no webmaster implicitly chooses to trust amadeus.net by displaying that site prominently in the frameset?
Humans are lazy. webmasters want browsers to forget all about security when it is convenient for them. Which is why it is hard to create a secure browser.