Maybe I didn't make it clear enough but my question was about injecting an arbitrary iframe into a website's DOM (I mentioned YouTube iframe just as an example), so it can be either an iframe with a URL that I have or doesn't have control over.
> Let's look at an example. Say you wanted to display a map in your extension's popup using Mapbox. Today, you can embed Mapbox's <script> and <style> tags directly in your popup.html as described in their sample
and you're good to go. Tomorrow, you'll need to embed an iframe points to a page (probably on your domain) that contains the map. If you need to detect interactions with the map, your sub-frame will have to postMessage those interactions to popup.html.
As I understand from this response, it's allowed, regarding the remote code execution rule, to embed an iframe into DOM and optionally communicate with it. Is my interpretation correct?