Security policies and contractual agreements prohibit displaying a NetSuite login page in an iFrame. For more information about this prohibition, see Secure Login Access to Your NetSuite Account.
As of January 2015, we have been prohibiting the use of iFrames on the following login pages:
This prohibition protects your account against clickjacking attacks. For more information about defending against this vulnerability, visit the OWASP website to review the Clickjacking Defense Cheat Sheet. The iFrame prohibition is a part of best practices described in RFC7034 - HTTP Header Field X-Frame-Options.
To allow logins through NetSuite, you must create a login page hosted on the NetSuite secure server and display a link to this login page on a different page.
See Creating Custom Pages for Login to Your NetSuite Account for more information.