I’m trying to set some CSP policies on my sandboxed iframe with allow scripts. Naturally meta tags wouldn’t do the trick if the iframe itself has scripts enabled and can just remove the meta tags right? Is there a way to create the iframe with srcdoc and still set the CSP or do I have to load it from a server?