When you are using postman they are not restricted by this policy. Quoted from Cross-Origin XMLHttpRequest: Regular web pages can use the XMLHttpRequest object to send and receive data from remote servers, but they're limited by the same origin policy. Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.

Now, a solution would be to look inside the iframe contents document.readystate, but with cross-origin content we get security exceptions here.

That won't work if the external content is on another site due to same origin policy. In some obscure cases, the remote site might support JSONP; but probably not.

JSONP is really a simply trick to overcome XMLHttpRequest same domain policy. (As you know one cannot send AJAX (XMLHttpRequest) request to a different domain.) So - instead of using XMLHttpRequest we have to use script HTMLl tags, the ones you usually use to load JS files, in order for JS to get data from another domain. Sounds weird?