SUSE CVE-2008-4195

Opera before 9.52 does not properly restrict the ability of a framed web page to change the address associated with a different frame, which allows remote attackers to trigger the display of an arbitrary address in a frame via unspecified use of web script...

Same origin violation: frame calling top.focus() — Mozilla

A child frame can call top.focus even if the framing page comes from a different origin and has overridden the focus routine. The call is made in the context of the child frame. The attacker would look for a target site with a framed page that makes this call but doesn't verify that its parent...