allow-script for iframe sandbox but block sync-xhr