Note 1: For this example to fully work, you need to launch Chrome with --disable-web-security (sadly, yes). See chrome-disable-same-origin-policy stack on stackoverflow.
Note 2: This example may not work directly with ajax.html on Github Pages, you should consider trying a page that doesn't have that The X-Frame-Options SAMEORIGIN response header. See X-Frame-Options on Mozilla Developer Network.