Since we are already strict about which domains can be used in iframes, having yet another setting where we set the allow string for each iframe and parsing the weird allow content format seems a bit much for me.
I made a PR that simply allows using anything in the allow attribute for already allowed iframes: