[feat] Add iframe permissions

[zhanlarr]

Hm I'm realizing that this is probably much more complicated than it needs to be - we should probably just allow users to pass through the allow and sandbox properties, with a warning when the sandbox property doesn't include allow-scripts and allow-same-origin

[zhanlarr]

@kentwalters @BenjamynBaker I actually ended up just setting this up to always include allow-scripts and allow-same-origin whenever sandbox is specified. I'll also update the README here

[kentwalters]

LGTM! We'll let @BenjamynBaker stamp, then all good to merge.

[BenjamynBaker]

LGTM