It seems that I lack knowledge about this, can you explain it more clearly? How can that be? Something called coerce? It is really difficult to force someone to do what the attacker wants, unless they have tricks to cover the user's eyes. Right? 

This still depends on whether and how the same-origin-policy is implemented.