[06:59:38] <tgr>	 Krinkle: we'll probably need a go/no-go decision on the performance aspects of iframe sandboxing. I summarized it in T169027#9342985 but the short version is that fetches initiated inside the sandbox completely bypass caching, and since we are loading Vega in the iframe, that would mean about 1.2MB extra data transfer per graph.
[06:59:38] <stashbot>	 T169027: Provide iframe sandboxing for rich-media extensions (defense in depth) - https://phabricator.wikimedia.org/T169027
[07:06:46] <tgr>	 ...although vega.js gzipped is only 330K so that probably includes a bunch of RL modules that are used on generic wiki pages but are not strictly needed for displaying a graph