Your browser should allow this, because Brightspace does not prevent this by specifying an X-FRAME-OPTIONS header or some CSP policy.

Fortunately, the login page from surfconext.nl where you enter your login credentials does not allow this. Log out from Brightspace to see this: if you then go to this webpage you will first see the SURFcontext window in an iframe, but if you then click this to log in you will see that UI redressing is blocked.

It is probably not a big security problem for Brightspace that it can be include in an iframe: it is hard to come up with an interesting attack scenario. Still, there is no good reason for Brightspace NOT to disable this.