This is App2

Styles and scripts do not cross borders in either direction

iframe: https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe

Communication when CORS (security when iframe does not come from same origin) applies: https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage

Using 127.0.0.1 / github.io as host for iframe makes CORS apply when this page is loaded using localhost