SalesForce.com does not directly support CORS or JSONP for cross-origin resource sharing of an IFRAME; instead, they have their own implementation called SalesForce Canvas. Since SalesForce instances (and therefore your IFRAMEd application) must be exposed to the Internet, some validation is required. It involves reading an encoded “signed request” and comparing a hash of it against a SalesForce consumer secret known by the non-SalesForce application. If those two things match up, we can assume the request is valid and use the OAuth token and other rich user+server contextual information provided by SalesForce. This contextual information is required for eventing over XmlHttpRequest (XHR). For security reasons the validation of the signed request against the consumer secret should be done server-side.
SalesForce has a nice PDF about Canvas at http://www.salesforce.com/us/developer/docs/platform_connectpre/canvas_framework.pdf. It even covers publish-subscribe XHR eventing between the application and SalesForce; however, the thing I don’t like about their documentation is that they push their Heroku platform too much in their examples. Although it’s cool if you are looking for a PaaS, if not, Heroku is unnecessary and complicates things when you are just trying to grasp the basics. If you’re a .Net developer you have to substitute your own equivalents as you go through their tutorial, so I wrote a simple library in C# with two simple “Hello-World”-style examples, one in ASP.Net MVC and the other in ASP.Net Web Forms. Here’s a link to my implementation in GitHub: https://github.com/short000/salesforce-canvas-dotnet
It includes a tutorial (https://github.com/short000/salesforce-canvas-dotnet/blob/master/SalesForceOAuthExamples/ReadMe.pdf) for configuring your SalesForce Connected App to work with this example.