Is it safe to have sandbox=“allow-scripts allow-popups allow-same-origin” on