If you allow custom HTML via an iframe and make it shareable you have to host the iframe from a different domain, otherwise it's XSS vulnerability heaven. The trick will be authentication because separate domains don't share sessions (and you wouldn't want a secured domain access to your session anyway) but you can do communication via postMessage.