Refuse to load LavaDome within non-top documents

[weizman]

Make sure the LavaDome code refuses to load in non-top documents from the start, to not allow attackers to reload the entire page within an iframe they control its environment. e.g:

const ifr = document.body.appendChild(document.createElement('iframe'));
const payload = `// hook into a primitive LavaDome counts on to steal its secret`;
ifr.contentWindow.eval(payload);
const html = await (await fetch('/')).text();
ifr.contentDocument.write(html);

[weizman]

I'm on the fence with this one. I can think of legit use cases (XO iframe where LavaDome is integrated), and then if I want to support non-top docs conditionally it's practically impossible to do so safely, because passing a bool arg indicating whether to run or not can also be tampered by the attacker..

Closing for now, also because I'm not sure there's an actual attack surface here to begin with.