Oh and from the iFrame there is this vuln found: http://bugs.jqueryui.com/ticket/6016 (hope the plug-in version does not have that)
→ https://account.optionsxpress.com/inc/js/plugins/jquery.blockUI.js previous next
Some example -
Summary
Severity: Information
Confidence: Certain
Host: https://account.optionsxpress.com
Path: /inc/js/plugins/jquery.blockUI.js
Issue detail
The following cookies were issued by the application and do not have the secure flag set:
* TLTHID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com
* TLTSID=3B138D484BD3DC1EBC2548A8FD6DEEF1; Path=/; Domain=.optionsxpress.com
The cookies do not appear to contain session tokens, which may reduce the risk associated with this issue. You should review the contents of the cookies to determine their function.
polonus