Web Share API can be triggered from iframe sandbox

[shhnjk]

CSP/iframe sandbox aren't allowed to open popups or escape sandbox restriction unless "allow-popups" or "allow-popups-to-escape-sandbox" is set respectively.

However, when "allow-scripts" is specified, sandboxed document can trigger Web Share API, which might allow escaping CSP/iframe sandbox because Web Share Target now supports PWA.

[mgiuca]

I believe this has been fixed by #166; it should no longer be allowed to use it from an iframe without the appropriate feature policy.