Allow same origin in sandboxing to unbreak pdf rendering

 * The pdf renderer was trying to load pdfs via an ajax call within
   the iframe. The load was failing with a CORS error because requests
   within the sandbox have their Origin headers set to "null".
   Turning on allow-same-origin within the sandbox should allow the
   requests to set their actual origin.

Author: AddisonSchiller

mfr/server/static/js/mfr.js

@@ -80,7 +80,7 @@
             self.pymParent.iframe.setAttribute('allowfullscreen', '');
             self.pymParent.iframe.setAttribute('webkitallowfullscreen', '');
             self.pymParent.iframe.setAttribute('scrolling', 'yes');
-            self.pymParent.iframe.setAttribute('sandbox', 'allow-scripts allow-popups');
+            self.pymParent.iframe.setAttribute('sandbox', 'allow-scripts allow-popups allow-same-origin');
 
             self.pymParent.el.appendChild(self.spinner);
             $(self.pymParent.iframe).on('load', function () {