diff --git a/gitiles-servlet/src/main/java/com/google/gitiles/doc/DocServlet.java b/gitiles-servlet/src/main/java/com/google/gitiles/doc/DocServlet.java
index e6d37a0..ed78d4a 100644
--- a/gitiles-servlet/src/main/java/com/google/gitiles/doc/DocServlet.java
+++ b/gitiles-servlet/src/main/java/com/google/gitiles/doc/DocServlet.java
@@ -131,7 +131,7 @@
       }
 
       res.setHeader(HttpHeaders.ETAG, curEtag);
-      showDoc(req, res, view, nav, doc);
+      showDoc(req, res, view, cfg, nav, doc);
     } finally {
       rw.release();
     }
@@ -164,7 +164,8 @@
   }
 
   private void showDoc(HttpServletRequest req, HttpServletResponse res,
-      GitilesView view, RootNode nav, RootNode doc) throws IOException {
+      GitilesView view, Config cfg,
+      RootNode nav, RootNode doc) throws IOException {
     Map<String, Object> data = new HashMap<>();
     data.putAll(Navbar.bannerSoyData(view, nav));
     data.put("pageTitle", MoreObjects.firstNonNull(
@@ -173,8 +174,8 @@
     data.put("sourceUrl", GitilesView.show().copyFrom(view).toUrl());
     data.put("logUrl", GitilesView.log().copyFrom(view).toUrl());
     data.put("blameUrl", GitilesView.blame().copyFrom(view).toUrl());
-    data.put("navbarHtml", new MarkdownToHtml(view).toSoyHtml(nav));
-    data.put("bodyHtml", new MarkdownToHtml(view).toSoyHtml(doc));
+    data.put("navbarHtml", new MarkdownToHtml(view, cfg).toSoyHtml(nav));
+    data.put("bodyHtml", new MarkdownToHtml(view, cfg).toSoyHtml(doc));
 
     String page = renderer.render(SOY_TEMPLATE, data);
     byte[] raw = page.getBytes(UTF_8);
diff --git a/gitiles-servlet/src/main/java/com/google/gitiles/doc/GitilesMarkdown.java b/gitiles-servlet/src/main/java/com/google/gitiles/doc/GitilesMarkdown.java
index 040326b..9557c54 100644
--- a/gitiles-servlet/src/main/java/com/google/gitiles/doc/GitilesMarkdown.java
+++ b/gitiles-servlet/src/main/java/com/google/gitiles/doc/GitilesMarkdown.java
@@ -77,6 +77,7 @@
     return new Rule[] {
         cols(),
         hr(),
+        iframe(),
         note(),
         toc(),
     };
@@ -96,6 +97,35 @@
         push(new SimpleNode(SimpleNode.Type.HRule)));
   }
 
+  public Rule iframe() {
+    StringBuilderVar src = new StringBuilderVar();
+    StringBuilderVar h = new StringBuilderVar();
+    StringBuilderVar w = new StringBuilderVar();
+    StringBuilderVar b = new StringBuilderVar();
+    return NodeSequence(
+        string("<iframe"),
+        oneOrMore(
+          sequence(
+            Spn1(),
+            firstOf(
+              sequence(string("src="), attribute(src)),
+              sequence(string("height="), attribute(h)),
+              sequence(string("width="), attribute(w)),
+              sequence(string("frameborder="), attribute(w))
+            ))),
+        Spn1(), '>',
+        Spn1(), string("</iframe>"),
+        push(new IframeNode(src.getString(),
+            h.getString(), w.getString(),
+            b.getString())));
+  }
+
+  public Rule attribute(StringBuilderVar var) {
+    return firstOf(
+      sequence('"', zeroOrMore(testNot('"'), ANY), var.append(match()), '"'),
+      sequence('\'', zeroOrMore(testNot('\''), ANY), var.append(match()), '\''));
+  }
+
   public Rule note() {
     StringBuilderVar body = new StringBuilderVar();
     return NodeSequence(
diff --git a/gitiles-servlet/src/main/java/com/google/gitiles/doc/IframeNode.java b/gitiles-servlet/src/main/java/com/google/gitiles/doc/IframeNode.java
new file mode 100644
index 0000000..f4d1ca3
--- /dev/null
+++ b/gitiles-servlet/src/main/java/com/google/gitiles/doc/IframeNode.java
@@ -0,0 +1,47 @@
+// Copyright 2015 Google Inc. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package com.google.gitiles.doc;
+
+import com.google.common.base.Strings;
+
+import org.pegdown.ast.AbstractNode;
+import org.pegdown.ast.Node;
+
+import java.util.Collections;
+import java.util.List;
+
+class IframeNode extends AbstractNode {
+  final String src;
+  final String height;
+  final String width;
+  final boolean border;
+
+  IframeNode(String src, String height, String width, String border) {
+    this.src = src;
+    this.height = Strings.emptyToNull(height);
+    this.width = Strings.emptyToNull(width);
+    this.border = !"0".equals(border);
+  }
+
+  @Override
+  public void accept(org.pegdown.ast.Visitor visitor) {
+    ((Visitor) visitor).visit(this);
+  }
+
+  @Override
+  public List<Node> getChildren() {
+    return Collections.emptyList();
+  }
+}
diff --git a/gitiles-servlet/src/main/java/com/google/gitiles/doc/MarkdownToHtml.java b/gitiles-servlet/src/main/java/com/google/gitiles/doc/MarkdownToHtml.java
index c1c7d4f..f2de56e 100644
--- a/gitiles-servlet/src/main/java/com/google/gitiles/doc/MarkdownToHtml.java
+++ b/gitiles-servlet/src/main/java/com/google/gitiles/doc/MarkdownToHtml.java
@@ -22,6 +22,8 @@
 import com.google.template.soy.data.SanitizedContent;
 import com.google.template.soy.shared.restricted.EscapingConventions;
 
+import org.eclipse.jgit.lib.Config;
+import org.eclipse.jgit.util.StringUtils;
 import org.pegdown.ast.AbbreviationNode;
 import org.pegdown.ast.AutoLinkNode;
 import org.pegdown.ast.BlockQuoteNode;
@@ -71,10 +73,12 @@
   private final HtmlBuilder html = new HtmlBuilder();
   private final TocFormatter toc = new TocFormatter(html, 3);
   private final GitilesView view;
+  private final Config cfg;
   private TableState table;
 
-  public MarkdownToHtml(GitilesView view) {
+  public MarkdownToHtml(GitilesView view, Config cfg) {
     this.view = view;
+    this.cfg = cfg;
   }
 
   /** Render the document AST to sanitized HTML. */
@@ -127,6 +131,36 @@
   }
 
   @Override
+  public void visit(IframeNode node) {
+    if (HtmlBuilder.isValidHttpUri(node.src)
+        && HtmlBuilder.isValidCssDimension(node.height)
+        && HtmlBuilder.isValidCssDimension(node.width)
+        && canRender(node)) {
+      html.open("iframe")
+          .attribute("src", node.src)
+          .attribute("height", node.height)
+          .attribute("width", node.width);
+      if (!node.border) {
+        html.attribute("class", "noborder");
+      }
+      html.close("iframe");
+    }
+  }
+
+  private boolean canRender(IframeNode node) {
+    String[] ok = cfg.getStringList("markdown", null, "allowiframe");
+    if (ok.length == 1 && StringUtils.toBooleanOrNull(ok[0]) == Boolean.TRUE) {
+      return true;
+    }
+    for (String m : ok) {
+      if (m.equals(node.src) || (m.endsWith("/") && node.src.startsWith(m))) {
+        return true;
+      }
+    }
+    return false; // By default do not render iframe.
+  }
+
+  @Override
   public void visit(HeaderNode node) {
     String tag = "h" + node.getLevel();
     html.open(tag);
diff --git a/gitiles-servlet/src/main/java/com/google/gitiles/doc/Visitor.java b/gitiles-servlet/src/main/java/com/google/gitiles/doc/Visitor.java
index 8e9ea60..e91e073 100644
--- a/gitiles-servlet/src/main/java/com/google/gitiles/doc/Visitor.java
+++ b/gitiles-servlet/src/main/java/com/google/gitiles/doc/Visitor.java
@@ -17,5 +17,6 @@
 public interface Visitor extends org.pegdown.ast.Visitor {
   void visit(ColsNode node);
   void visit(DivNode node);
+  void visit(IframeNode node);
   void visit(TocNode node);
 }
diff --git a/gitiles-servlet/src/main/java/com/google/gitiles/doc/html/HtmlBuilder.java b/gitiles-servlet/src/main/java/com/google/gitiles/doc/html/HtmlBuilder.java
index 093f901..f5dc889 100644
--- a/gitiles-servlet/src/main/java/com/google/gitiles/doc/html/HtmlBuilder.java
+++ b/gitiles-servlet/src/main/java/com/google/gitiles/doc/html/HtmlBuilder.java
@@ -46,7 +46,8 @@
       "a", "div", "img", "p", "blockquote", "pre",
       "ol", "ul", "li", "dl", "dd", "dt",
       "del", "em", "strong", "code", "br", "hr",
-      "table", "thead", "tbody", "caption", "tr", "th", "td"
+      "table", "thead", "tbody", "caption", "tr", "th", "td",
+      "iframe"
   );
 
   private static final ImmutableSet<String> ALLOWED_ATTRIBUTES = ImmutableSet.of(
@@ -58,6 +59,17 @@
   private static final FilterNormalizeUri URI = FilterNormalizeUri.INSTANCE;
   private static final FilterImageDataUri IMAGE_DATA = FilterImageDataUri.INSTANCE;
 
+  public static boolean isValidCssDimension(String val) {
+    return val != null && val.matches("(?:[1-9][0-9]*px|100%|[1-9][0-9]?%)");
+  }
+
+  public static boolean isValidHttpUri(String val) {
+    return (val.startsWith("https://")
+        || val.startsWith("http://")
+        || val.startsWith("//"))
+        && URI.getValueFilter().matcher(val).find();
+  }
+
   /** Check if URL is valid for {@code <img src="data:image/*;base64,...">}. */
   public static boolean isImageDataUri(String url) {
     return IMAGE_DATA.getValueFilter().matcher(url).find();
@@ -89,6 +101,13 @@
       val = anchorHref(val);
     } else if ("src".equals(att) && "img".equals(tag)) {
       val = imgSrc(val);
+    } else if ("src".equals(att) && "iframe".equals(tag)) {
+      if (!isValidHttpUri(val)) {
+        return this;
+      }
+      val = URI.escape(val);
+    } else if (("height".equals(att) || "width".equals(att)) && "iframe".equals(tag)) {
+      val = isValidCssDimension(val) ? val : "250px";
     } else if ("alt".equals(att) && "img".equals(tag)) {
       // allow
     } else if ("title".equals(att) && ("img".equals(tag) || "a".equals(tag))) {
@@ -119,8 +138,7 @@
   }
 
   private static String imgSrc(String val) {
-    if ((val.startsWith("http:") || val.startsWith("https:"))
-        && URI.getValueFilter().matcher(val).find()) {
+    if (isValidHttpUri(val)) {
       return URI.escape(val);
     }
     if (isImageDataUri(val)) {
diff --git a/gitiles-servlet/src/main/resources/com/google/gitiles/static/doc.css b/gitiles-servlet/src/main/resources/com/google/gitiles/static/doc.css
index 36e10dd..3b4de7d 100644
--- a/gitiles-servlet/src/main/resources/com/google/gitiles/static/doc.css
+++ b/gitiles-servlet/src/main/resources/com/google/gitiles/static/doc.css
@@ -152,6 +152,13 @@
 .doc img {
   border: 0;
 }
+.doc iframe {
+  min-width: 100px;
+  min-height: 30px;
+}
+iframe.noborder {
+  border: 0;
+}
 
 .doc pre {
   border: 1px solid silver;