Server-side redirect by attacker (calc) in iframe (fully sandboxed)

Behavior is the same whether sandboxed or not