…#3590)

Pages enforcing a Trusted Types Content Security Policy (e.g. Google
Sheets) block any browser-side HTML string assignment — including
innerHTML and DOMParser.parseFromString. The iframe expansion in
parseWithCheerio used frame.evaluate() to inject iframe content into the
browser DOM, which was silently blocked by CSP, causing iframe content
to be dropped without any visible error.

The fix moves HTML assembly out of the browser entirely. page.content()
is called first, loaded into Cheerio on the Node.js side, and iframe
content (fetched via Playwright's Node.js API, which is unaffected by
CSP) is substituted directly in the Cheerio tree.

Closes #3588