e01ed039fb
Previously the SandboxFrame iframe relied entirely on cross-origin subdomain isolation (the HMAC-derived `<id>.sandbox.ditto.pub` origin) for containment. That does give origin-keyed storage and postMessage isolation, but it does not restrict top-frame navigation, pointer lock, or other capabilities that a hostile nsite/webxdc app could abuse. The highest-value protection here is blocking `allow-top-navigation`: without it, a malicious nsite could do `window.top.location = evilUrl` and redirect the entire Ditto tab to a phishing page that impersonates the app. The user opened a preview expecting to stay inside Ditto, so this is a realistic and impactful attack. The policy grants the capabilities that real web apps legitimately use (scripts, same-origin storage + Service Workers per iframe.diy's architecture, forms, modals, popups that escape the sandbox, downloads) while withholding the ones that are either attacks (top navigation) or unused niche features (pointer lock, presentation API, orientation lock). Also Omit 'sandbox' from the spread props so consumers cannot accidentally weaken the policy.