Styles and scripts do not cross borders in either direction
iframe: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe
Communication when CORS (security when iframe does not come from same origin) applies: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
Using 127.0.0.1 / github.io as host for iframe makes CORS apply when this page is loaded using localhost