fix(toolbar): Tighten up iframe security and fix bug when saving cookie

[BYK]

Currently, when trying to save a cookie in the iframe we throw an exception as there's a reference to cookie where it should be data.cookie. On top of this the iframe has 2 security issues

1. It would establish the messaging channel even if state is not success once the login form succeeds. This opens up the possibility to make API requests on behalf of the user from an authorized parent page. This is especially doable through click-jacking as one can position an almost invisible iframe, make users click the login button to trigger the issue.
2. The valid functions check uses a naive in operator which allows outsiders access to built-in properties and methods such as __proto__ and __defineGetter__ etc, allowing an attacker to inject their own functions and code.

This patch fixes both issues. There remains one last issue where in fetch we accept any URL and don't check it, allowing an outsider/attacker to initiate fetch requests to any domain from sentry.io. We should address this soon but I think it is lower impact compared to the other two above.

[codecov]

❌ 1 Tests Failed:

Tests completed	Failed	Passed	Skipped
22179	1	22178	219

View the full list of 1 ❄️ flaky tests

tests.sentry.utils.mockdata.test_core.TestMockData test_main_skip_default_setup

Flake rate in main: 33.33% (Passed 4 times, Failed 2 times)

Stack Traces | 4.83s run time

#x1B[1m#x1B[.../utils/mockdata/test_core.py#x1B[0m:64: in test_main_skip_default_setup
    assert Environment.objects.count() == 2, "Should make an environment"
#x1B[1m#x1B[31mE   AssertionError: Should make an environment#x1B[0m
#x1B[1m#x1B[31mE   assert 3 == 2#x1B[0m
#x1B[1m#x1B[31mE    +  where 3 = <bound method QuerySet.count of <sentry.db.models.manager.base.BaseManager object at 0x7f56cac52ae0>>()#x1B[0m
#x1B[1m#x1B[31mE    +    where <bound method QuerySet.count of <sentry.db.models.manager.base.BaseManager object at 0x7f56cac52ae0>> = <sentry.db.models.manager.base.BaseManager object at 0x7f56cac52ae0>.count#x1B[0m
#x1B[1m#x1B[31mE    +      where <sentry.db.models.manager.base.BaseManager object at 0x7f56cac52ae0> = Environment.objects#x1B[0m

To view individual test run time comparison to the main branch, go to the Test Analytics Dashboard

[getsantry]

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!

---

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

[BYK]

@ryan953 @mdtro @getsentry/security - Closed this PR as it got out of date and seems like there's a lack of interest. That said there are still 2 important issues with the iframe.html transport:

1. We set up the messaging channel regardless of the state
2. In the fetchProxy function we make a call to any URL without domain checking but with the Sentry token

Combining these, it looks like anyone can load this page, send a fetch message with a URL for a server they control and steal the authentication token.