Omit security=restricted and handle marginheight/marginwidth attributes in iframe sanitizer #3950
Description
Bug Description
When adding an <iframe> with security=restricted attribute, a validation error is raised. This security attribute is obsolete (only ever supported in IE, AFAIK) in favor of the sandbox which amp-iframe supports and the iframe sanitizer provides by default. So I believe the security=restricted attribute should be omitted entirely, as was done with loading=lazy in #3939.
Similarly, iframes have legacy attributes marginwidth and marginheight which were made obsolete in HTML5. When these attributes have a value of 0 they should also be omitted from copying to the amp-iframe.
These three attributes—security, marginwidth, and marginheight—are all added by WordPress's post embeds. By preventing these from being copied, post embeds will at least not cause validation errors when used in WordPress but they still won't be fully supported. For that, see #3426.
Expected Behaviour
No validation errors should be raised.
Steps to reproduce
- Create a post and insert a WordPress embed block with the URL https://blog.amp.dev/2019/10/18/the-amp-contributor-summit-hits-new-york/
- Save the post
- See validation error warning.
Screenshots
Do not alter or remove anything below. The following sections will be managed by moderators only.