Discourse actually does allow iframes, but for security reasons, the default settings only allow specific domains. I have just changed this to allow any https iframe, so feel free to try it out! 
(If it ends up being abused for malicious purposes, then I may need to lock it back down again…)
One quirk of the pattern is that a bare domain will require a trailing slash (e.g. https://example.com/, not https://example.com).
Here’s a demo: