Edited, because my first answer was very wrong…
We can’t add allow-same-origin to our sandbox attribute, because it would allow cookies, localStorage and sessionStorage to be shared (or interfered with) across notebooks. They’re all hosted on observableusercontent.com.
For example, if you embedded a video in a notebook that sets a cookie containing tracking information about what video you played — a completely unrelated notebook could then read that cookie information out later.
We’ve got some thoughts about potential ways to ease the sandboxing restrictions further, but we’re not ready to make a change quite yet.
Hope that helps!