For sites with frame it's possible to execute script by spoofing location of one of frames.
vulners.com/securityvulns/securityvulns:doc:3476
vulners.com/securityvulns/securityvulns:doc:3480