Loads a URL in an iframe and reports embedding status, postMessage traffic, and the parent origin you must allow-list.
Add Parent origin to the app's iframe allow-list (frame-ancestors + CORS) or the embed will be blocked.
Sends to the frame's contentWindow. Incoming messages are logged below.