Having the (say) GMail in an iframe sounds worrying. It's not clear immediately that the embedded page came from GMail, as we cannot see the https scheme in the URL for the iframe - much less any indication that the certificate is trusted etc. This provides an attacker with the possibility to create a fake GMail login page
Why not redirect to GMail (openid-style) with a callback (or failing that, use a pop-up)?
You're talking about a phishing attack and it's actually worse for OpenID http://identity.mozilla.com/post/7669886219/how-browserid-di... Once Persona is integrated into browsers it will offer better security. BTW, the iframe is always in a pop-up for this exact reason. It's never an iframe within the context of the website that initiated the login.
Why not redirect to GMail (openid-style) with a callback (or failing that, use a pop-up)?