Yes, itβs a head inside an iframe, hence I think something like this will make it work:
<script crossorigin='anonymous'>
add script
</script>
In addition to that, whenever the script accesses window or document, you should use parent.window and parent.document.