Here's a test case:
<div id="container"></div>
<script>
  container.innerHTML =
    '<iframe sandbox="allow-scripts allow-modals" srcdoc="<script>history.forward()</scr' + 'ipt>">';
</script>

1. Load that in a page.
2. Navigate to another page.
3. Hit back.

The sandboxed iframe renavigates you forward.

This does seem like a violation of disallowing top-navigation to me. Maybe it should just error?

It doesn't have quite the same security concern though since the attacker can't control what page you get sent to.

I believe w/o `allow-top-navigation` iframe shouldn't be able to affect parent's stack. I don't think it's an error though. It could just be considered that the iframe is at the "bottom" of the history stack.

I don't know what you mean by being at the bottom.

I mean that API could work as if iframe's history stack is simply at the very first entry - i.e. not possible to go back anymore.

Ping! Who do we think is the right owner for this? @Mike, would this be a security bug?

Assigning to Mike to see if we can move the triage for this along.

As noted above, the security implications are minimal: the attacking frame can't control where you go, it can only send you to places you've already been. That said, it does seem like a violation of the expectations around `allow-top-navigation`. I don't have strong opinions about how to block the navigation entirely, but I do think that's a reasonable thing to do. It would be interesting to check what Firefox/Edge do in this scenario. Perhaps we can replicate their behavior if it's more sane than ours?

CCing some //content folks who know more about navigation than I do. :)

Answering to: "It would be interesting to check what Firefox/Edge do in this scenario. Perhaps we can replicate their behavior if it's more sane than ours?"

I tested all my browsers, and they all behave the same:
- Firefox Developer Edition 61.0b13 (64-bit)
- Firefox Quantum (stable) 60.0.2 (64-bit)
- Google Chrome 67.0.3396.87 (Official Build) (64-bit)
- Google Chrome 69.0.3452.0 (Official Build) dev (64-bit) (includes the behavior for "by-user-activation" announced here: https://blog.chromium.org/2018/06/chrome-68-beta-add-to-home-screen.html)
- Microsoft Edge 42.17134.1.0 (Microsoft EdgeHTML 17.17134)
- Microsoft Internet Explorer 11.112.17134.0

They all allow this kind of navigation.

I encountered this (in my eyes buggy) behavior while adding a sandbox to the iframes we include in our webapp. We run a chat website were we allow users to write own webapps that we include for all users in the current channel. To protect our users from potentially evil app developers or evil webapps we count on the iframe-sandbox feature. But with this navigation back from inside a sandboxed iframe (almost) any user can manipulate the website from any user in the channel. So for us this definitely an issue we want to see solved.
I'd recommend the proposed solution with a new allow-history flag for the sandbox, with blocked outside-iframe-navigation as the default.

And another question, since this is my very first involvement in an issue like this that exists across browsers: Who and how will the other browser vendors be informed about this issue? Will you work together with them to come up with a solution that will ship in every browser?

I found two issues in the Firefox bugzilla that seem to be related:
https://bugzilla.mozilla.org/show_bug.cgi?id=690366
https://bugzilla.mozilla.org/show_bug.cgi?id=1225637