third_party/WebKit/LayoutTests/http/tests/security/sandboxed-iframe-javascript-url.html - chromium/src - Git at Google

 <!DOCTYPE html>
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <body>
 <script>
     async_test(t => {
         var i = document.createElement('iframe');
         i.setAttribute("sandbox", "allow-scripts");
         i.setAttribute("src", "javascript:top.postMessage('fail', '*');");
         window.addEventListener(
             "message",
             t.unreached_func("The sandboxed 'javascript:' URL should not execute."));

         document.body.appendChild(i);

         // TODO(mkwst): I would love a better test here, but I don't know how else to
         // verify that the script _doesn't_ execute.
         setTimeout(t.done.bind(t), 250);
     }, "JavaScript URLs in sandboxed iframes should not execute, as the origin is distinct from its opener.");
 </script>
	<!DOCTYPE html>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<body>
	<script>
	async_test(t => {
	var i = document.createElement('iframe');
	i.setAttribute("sandbox", "allow-scripts");
	i.setAttribute("src", "javascript:top.postMessage('fail', '*');");
	window.addEventListener(
	"message",
	t.unreached_func("The sandboxed 'javascript:' URL should not execute."));

	document.body.appendChild(i);

	// TODO(mkwst): I would love a better test here, but I don't know how else to
	// verify that the script _doesn't_ execute.
	setTimeout(t.done.bind(t), 250);
	}, "JavaScript URLs in sandboxed iframes should not execute, as the origin is distinct from its opener.");
	</script>