At some point, Sandstorm will actually disallow embedding off-site resources via Content-Security-Policy since otherwise it is trivial to leak data out of a Sandstorm app, something we'd like to prevent. (Currently, this client-side sandbox is incomplete.)