Graças ao comentário da FCTW, o problema foi resolvido no Firefox 52: link
O patch protege contra prompts de autenticação de abuso:
Note that this fixes only a case when a page contains an iframe that 1) asks for auth 2) is reloaded by the top level page on and on. If such the page would reload itself (not just the iframe), the patch would not help.