Of note though, cross-domain iframes have intense restrictions on them to prevent them from XSS-ing the host page or its domain.

Of course, if you’re running 3rd party ad scripts on your actual page, you’re at their mercy.