So, you are talking from the view of a site-owner, rather than a site-visitor?
You might run into issues loading everything into an iframe, and you’re really just shuffling the problem to the site living in the iframe, no?
Here are a few ideas. They are not exhaustive:
You should be setting a same-origin policy heading on your site (stuff like third-party JS tend to get around same-origin by using JSONP as a hack but be aware these can be injected).
If you’ve got forms you could have your backend whatever make a CSRF token or cookie.
Don’t use any of those large advertising networks on your site unless you can personally vet every party of that network (usually you can’t, I’ve heard).
When using something from a CDN (let’s say you want to use jQuery), see if the thing you are downloading has an MD5 hash. If it does, you should always check this hash to check that what you downloaded is what the CDN domain claims to offer. Of course, if the CDN store is compromised then I suppose the attacker could make their evil MD5 and then you’d think you had a match but I haven’t heard of anyone actually doing that.
Instead you hear a lot about people not checking anything and the third-party being compromised (like BrowseAloud).
If you really don’t need the latest version of some offsite resource (again let’s use jQuery) you could have a local version instead of the user calling the CDN. This does however defeat the benefit of maybe the user has already cached that script or resource.
If you’re using something like AWS or CloudFront or whatever, make sure you list all the hostnames you use in your panel. Like, every subdomain. I dunno how common it is, but having a (sub)domain who isn’t specifically listed may open you to domain fronting (someone makes another page in the same cloud as you and since you didn’t name your (sub)domain, they could name it. Then since some of these cloud services look at the Host heading, they’ll redirect users to this other person’s page and the domain will look legit).
You could try using Javascript tokens (JSON Web Tokens) instead of cookies for keeping track of sessions, or HTTP-only cookies (which either can’t be hijacked or it’s hard to).
I dunno, those are some ideas.