Add support for sandbox attribute on router outlet to restrict privileges of embedded content

[danielwiehl]

Is your feature request related to a problem? Please describe.

By specifying the "sandbox" attribute on an iframe, we can control the privileges of embedded content, for example, to load it in a low-privilege environment to mitigate the risks of potential attacks.

Since the custom element encloses the iframe, we cannot set the "sandbox" attribute. The platform should provide API to set it accordingly.

Describe the solution you'd like

• sandbox attribute on sci-router-outlet to specify the privileges of embedded content
• sandbox property on microfrontend capability to specify the privileges of the microfrontend; if specified, the platform applies it to the iframe into which the microfrontend is loaded during navigation
• consider adding a boolean property to MicrofrontendPlatformConfig to enforce setting a sandbox policy

Additional context

• https://web.dev/sandboxed-iframes/
• https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox
• https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-sandbox