that "allow=camera" part allows the iframe access to the Top-Level so that it can use getUserMedia().... however the "sandbox" attribute will treat everything in that frame as a separate domain (opaque, or a domain that matches no other), and getUserMedia() can only be called from the top-level's domain. That's why "allow-same-origin" is needed there. (so you'd also allow reading cookies, local storage, etc... setting cookies to http-only would prevent reading those, but local storage doesn't have that) Allowing untrusted scripts will be dangerous no matter how you go about it, though... think of click-jacking or csrf for instance.