_Update_: I'm testing a cross-origin use-case.

The sandbox I'm testing starts in CodeSandbox's domain and then redirects to another domain where it requests webcam access.

Hi @bz-stripe!

As you can see in Google’s post, you have to explicitly add permissions for the redirected website, since camera is (by default) only enabled for the embed domain.

@MichaelDeBoey how would folks feel about granting access to all origins? Or is there an obvious security concern?

I think it's logical to keep the default behaviour, but if you as a user of the sandbox would like to have other permissions, you can just change the iframe code when using it.
Nobody's permitting you to do so on your own website.

to enable geolocation and mic/camera for an iframe, the following would be specified:

<iframe src="https://example.com" allow="geolocation; microphone; camera"></iframe>

Note that the above will grant geolocation, microphone and camera access to the origin specified in the "src" attribute, i.e. in this case it would be https://example.com. In some cases, other origins will be loaded in the iframe that you may also wish to grant access to. In those cases you can explicitly specify the origins to grant access to:

<iframe src="https://example.com" allow="geolocation https://example.com https://foo.com;"></iframe>

The above example would grant geolocation to https://example.com as well as https://foo.com when they are loaded in the iframe.

To grant access to all origins that might be loaded in the iframe, the * syntax can be used. This should be used carefully as it means that any page that gets loaded in the iframe can request geolocation, which is often not the intent.

Sorry, last question: is there an easier way to "change the iframe code" than to use the dev console every time?

Yes - use the 'Share' menu in the top-right of the editor view for the sandbox you want to embed