Server-side redirect by attacker (calc) in iframe with srcdoc (sandboxed)

Note: This is a UI bug, not a security bug

Behavior is the same whether sandboxed or not

First iframe is fully sandboxed

Second iframe has sandbox="allow-scripts"