This is why I think per-site security settings in the browser are a good thing. Regardless of whether it's in an iframe or not, if I haven't allowed some site to run scripts/use cookies/etc., it won't.
Opera (before they switched to WebKit/Blink) has per-site settings. IE has security zones (not per-site, but only a trusted/untrusted grouping.) Firefox can do it with extensions like NoScript, and I'm not familiar enough with Chrome or anything WebKit/Blink-based to know whether it can be done.