fix: correct comment about document.write vs srcdoc in sandbox

Update comment to accurately explain the canvas tainting issue rather than
incorrectly claiming srcdoc creates an opaque origin.

Follow-up to PR #234 per domfarolino's review feedback.

Author: ochafik

examples/basic-host/src/sandbox.ts

@@ -95,10 +95,11 @@ window.addEventListener("message", async (event) => {
         inner.setAttribute("allow", allowAttribute);
       }
       if (typeof html === "string") {
-        // Use document.write instead of srcdoc for WebGL compatibility.
-        // srcdoc creates an opaque origin which prevents WebGL canvas updates
-        // from being displayed properly. document.write preserves the sandbox
-        // origin, allowing WebGL to work correctly.
+        // Use document.write instead of srcdoc for WebGL canvas tainting workaround.
+        // While srcdoc iframes normally inherit the parent's origin, some browsers
+        // treat the about:srcdoc URL as "tainted" for canvas security checks,
+        // which breaks WebGL rendering (e.g., CesiumJS, Three.js).
+        // Using document.write avoids this issue while preserving the sandbox origin.
         // CSP is enforced via HTTP headers on this page (sandbox.html).
         const doc = inner.contentDocument || inner.contentWindow?.document;
         if (doc) {