I figured it out.

The actual error pertains to RenderSuiteNav.

From reading this blog post: https://skodvinhvammen.wordpress.com/2017/03/17/sharepoint-hybrid-app-launcher-explained/  it mentions this line in the masterpage:

<SharePoint:DelegateControl id="ID_SuiteBarDelegate" ControlId="SuiteBarDelegate" runat="server" />

Once deleted, the iframe displays correctly.

Normally, scripts on different pages are allowed to access each other if and only if the pages they originate from share the same protocol, port number, and host. Above error message shows that you can't access an < iframe > with different origin using JavaScript/jQuery, it would be a huge security flaw if you could do it.

window.postMessage() provides a controlled mechanism to securely circumvent this restriction.

Hello, do you have any examples of using window.postmessage()?

We've also been looking at modifying the web.config file for the site collection and adding Access-Control-Allow-Origin: http://<site name>.com to <system.webServer><httpProtocol><customHeaders> section. Has anyone tried this method? 

Deleting the DelegateControl section on a master page seems a little risky to me.

My work-around to display a nintex form in an iframe is the following steps:

1: copy the master-page

2: hide/remove the delta suitebar.

3: create a web-part page and specify that custom master page.

4: add nintex form web part to web part page.

5: strip out all sharepoint ribbon and left nav using CSS, so all that remains is the nintex form.

6: add .aspx web part page to an iframe to be used on another site.