Explore implications of crossOriginIsolated

[TheUnlocked]

For context, crossOriginIsolated is required for certain features like SharedArrayBuffer, which is necessary to support REPL behavior in languages compiled via empscripten, such as Chez Scheme (https://github.com/TheUnlocked/scheme-js). That's because reading from stdin is a synchronous operation, and in order to make it asynchronous the language runtime has to be executed in a worker and suspended when stdin isn't available with Atomics.wait, which requires a SharedArrayBuffer. These languages can still be used without it, but they cannot be used interactively, which is a significant drawback.

I've created https://github.com/TheUnlocked/Necode/tree/experimental-iframe-crossOriginIsolated to try out Necode with the necessary security features in place to support crossOriginIsolated. Specifically, these two headers:

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: credentialless

Currently the only major drawback I've found is that cross-origin iframes are not supported, which could theoretically break some instructor use cases. Because this must be site-wide in order for crossOriginIsolated to be true, providing some kind of configurable toggle for it is not tenable--everything needs to just work.

Patching iframes to be anonymous is viable, though anonymous iframes have not yet shipped in any browser. Merging in this change should at least wait until it does, even if no other issues pop up.