See what could happen if bad guys abuses javascript

Step1: Press the button to load "https://www.paypal.com/" in the content-frame

Step2: Now, try to change the contentframe.
(It will not work...watch the JavaScript-console)

Step3: Now, force to change the contentframe.