> 3.it prompts for your password - gmail password or yahoo password
Yes. In this case the "it" that prompts for your password will be an iframe served from gmail/yahoo. Once they support Persona natively, login.persona.org is no longer in the loop and your gmail/yahoo password goes directly to gmail/yahoo.
Having the (say) GMail in an iframe sounds worrying. It's not clear immediately that the embedded page came from GMail, as we cannot see the https scheme in the URL for the iframe - much less any indication that the certificate is trusted etc. This provides an attacker with the possibility to create a fake GMail login page
Why not redirect to GMail (openid-style) with a callback (or failing that, use a pop-up)?
You're talking about a phishing attack and it's actually worse for OpenID http://identity.mozilla.com/post/7669886219/how-browserid-di... Once Persona is integrated into browsers it will offer better security. BTW, the iframe is always in a pop-up for this exact reason. It's never an iframe within the context of the website that initiated the login.
Yes. In this case the "it" that prompts for your password will be an iframe served from gmail/yahoo. Once they support Persona natively, login.persona.org is no longer in the loop and your gmail/yahoo password goes directly to gmail/yahoo.