Some providers check (usually badly than right) whether the current origin corresponds to the external domain and otherwise stop. But since we have all the cards in hand, we can easily override these checks. With a relatively simple code analysis, almost all scripts (even well-secured Google Sheets embeddings within iframes) can be modified. Here is a simple version of the proxy (whereby the $receipts variable is intentionally only filled with harmless sample data):
All you have to do now is change the src attribute of the iframe and let the fun begin:
If you want to swap recipes, feel free to PM me. Happy hacking!