Well yes, my point is not to use an iframe like this (unless browsers start to include their own URL bars for those, though that still seems like a terrible idea). Previously paypal opened a regular popup (an entirely new window with its own url bar) or simply redirected the page. Both of those will fully inform the user about what site they are filling their credentials into.