Look at the HTML source of this web page to see it contains an iframe.

Changing an iframe from cs.ru.nl via the DOM

Click anywhere in this sentence to change the frame.

And click anywhere in this sentence to change it back.

Accessing the location field of the frame is only allowed for the same domain if it comes form the same domain, ie. ru.nl.
Setting the location field of the frame is always allowed; for other fields it is typically not allowed.

Moral of this example: a malicious website that includes content from another domain (here: from Wikipedia) cannot mess with that content through JavaScript.

Try to think of examples where an attacker might be interested in doing this.