Add doc for Cross-Origin iFrame

[Edweis]

Fixing #437
From https://stackoverflow.com/questions/46529201/puppeteer-how-to-fill-form-that-is-inside-an-iframe

[berstend]

@Edweis do you know of any other way than to --disable-web-security? This is like a nuclear option of death, with many casualties along the way (e.g. any site will be able to fetch your facebook cookies as CORS is disabled). This can also be tested against.

[berstend]

Isn't this sufficient?

      "--disable-features=IsolateOrigins,site-per-process",
      "--flag-switches-begin --disable-site-isolation-trials --flag-switches-end",

As per https://www.chromium.org/Home/chromium-security/site-isolation#TOC-Diagnosing-Issues

[berstend]

Related discussion: #196

Would be great if someone can make a proper test case to confirm failing behavior + fixed behavior when the two launch args are used. Also it'd be worthwhile to document negative side-effects - if they're neglectable we can make an evasion to enable that as the default.

[berstend]

Love the followup and further explanation on this, one of the joys of maintaining open-source.

I took it upon myself to properly verify this and lo and behold this PR is nonsense:

const puppeteer = require("puppeteer")

puppeteer
  .launch({
    headless: false,
    args: [
      "--disable-features=IsolateOrigins,site-per-process,SitePerProcess",
      "--flag-switches-begin --disable-site-isolation-trials --flag-switches-end",
    ],
  })
  .then(async (browser) => {
    const page = await browser.newPage()
    await page.goto("chrome://process-internals/")
    await page.waitForTimeout(60 * 1000)
    await browser.close()
  })

Thanks!