Server-side redirect by attacker (tel) in iframe (fully sandboxed)

Behavior is the same whether sandboxed or not