Other than the standard add-on installation you must add the user "Html Macro" to "access-confluence" or the group "Administrators".
The Cloud add-on permission model is evolving so currently either of these groups works
Here are just a couple of examples of content you can now place in your page.
Include forms from Wufoo
Here is a live form being served from Wufoo (you must unselect "Sanatize")
CodePen is a playground for the front end web.
Security Considerations - Sanitized HTML option
When using the "sanitized" option only HTML considered safe is allowed. This option will load slightly faster. An "iframe" is permitted.
If permissions are restricted either at the space level OR the page level such that the relevant "add-on user" (which gets created when you install an add-on) does not have access to read / write then operations will fail.
The current model for Cloud add-ons is a bit brittle in this respect. Hopefully Atlassian will address this at some point.
When try to include an iFrame it does not work. The browser console will say "Refused to display 'https://www.mysite.com' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
The site is explicitly setting a content security policy that disallows being embedded in an iframe, and the browser is honoring that. It is basic browser security and not something we can control.
If you control the remote domain, you can disable setting. Or you'd have to build a proxy for that domain that strips the header. This is probably going to be common.
Many sites don’t want to show up in iframes for IP or security reasons.
This X-FRAME-OPTIONS says that page can be embedded in an iframe if the parent page is from the same origin but there are other values that disallow it from any origin, etc