that "allow=camera" part allows the iframe access to the Top-Level so that it can use getUserMedia().... however the "sandbox" attribute will treat everything in that frame as a separate domain (opaque, or a domain that matches no other), and getUserMedia() can only be called from the top-level's domain. That's why "allow-same-origin" is needed there. (so you'd also allow reading cookies, local storage, etc... setting cookies to http-only would prevent reading those, but local storage doesn't have that) Allowing untrusted scripts will be dangerous no matter how you go about it, though... think of click-jacking for instance.

@progNewbie (I couldn't seem to add a reply to your comment there so putting it here) Clickjacking and CSRF would be concerns if other users can access these pages. If so, imagine a clickjack (not sure that's the right term actually it's just plain XSS....) where a prompt appears "You need to change your password, please enter your old/new password and submit." For CSRF, yes, even httpOnly cookies would be sent... so they could force one of your users to do some action (like changing their email/password) if you don't mitigate CSRF there. (which will be harder to do since this is now same-domain with that allow-same-origin attribute set... this isn't actually cross-site, so not sure you could even prevent it...) I would be very very careful if you allow scripts or use that same-domain option.