Check iframe sandbox flags such as (allow-same-origin) in a case-insensitive way

To make sure users do not try to workaround our restrictions, e.g. using "allow-Same-origin". I'd assume just lowecasing the sandbox string before checks would suffice.
