chromium/third_party/blink/web_tests/fast/frames/sandboxed-iframe-scripting-04.html

<!DOCTYPE html>
<html>
<head>
    <script src="../../resources/js-test.js"></script>
    <script>
        window.jsTestIsAsync = true;

        var allowedExecuted = 0;
        var disallowedExecuted = 0;
        window.addEventListener('message', function () {
          disallowedExecuted++;

          finish();
        });

        function finish() {
            shouldBe("disallowedExecuted", "0");
            shouldBe("allowedExecuted", "0");

            finishJSTest();
        };
    </script>
</head>
<body>
    <iframe sandbox="allow-same-origin"
            onload="finish()"
            src="data:text/html,<script>alert('FAIL: Executed script without allow-scripts in data URL');window.parent.postMessage({'fail': true}, '*');</script>">
    </iframe>
    <script>
        description("Verify that sandboxed frames without sandbox='allow-scripts' cannot execute script from data: URLs.");
    </script>
</body>
</html>