Server-side redirect by attacker (tel) in iframe with srcdoc (sandboxed)

Behavior is the same whether sandboxed or not

First iframe is fully sandboxed

Second iframe has sandbox="allow-scripts"