Steal postmessage modifying iframe location

Changing child iframes locations

According to this writeup, if you can iframe a webpage without X-Frame-Header that contains another iframe, you can change the location of that child iframe.
For example, if have as iframe and didn't have X-Frame header, I could change the to cross origin using, frames.location.
This is specially useful in postMessages because if a page is sending sensitive data using a wildcard like windowRef.postmessage("","*") it's possible to change the location of the related iframe (child or parent) to an attackers controlled location and steal that data.
<iframe src="" />
//pseudo code
setTimeout(function(){ exp(); }, 6000);
function exp(){
//needs to modify this every 0.1s as it's not clear when the iframe of the iframe affected is created
}, 100);