Upon placing that button inside a frameset on our service, a user clicks the button, gets a popup window to login to their paypal, and then it sits spinning endlessly because the parent page that created that popup window is now 'refusing the url to be changed by the paypal js'.
A cross domain security issue.
The thing is..... we'd had this code running and in place for about two years straight without fault for all our users. Then suddenly, sometime in the last month this has now become an issue when we changed no code on our end.
Frustrating fighting some of these cross origin security issues because browsers are dogpiling even more restrictions in place to protect everyone from the malicious people in the world. Sadly it means we have to re-engineer and format, change whole flows, and design styles ... just to get around the problem again.
Sorry, I have no solution to your issue....... we still have not found one ourselves.