Unsandboxed popups may also be navigated.

third_party/WebKit/Source/core/frame/Frame.cpp

Index: third_party/WebKit/Source/core/frame/Frame.cpp
diff --git a/third_party/WebKit/Source/core/frame/Frame.cpp b/third_party/WebKit/Source/core/frame/Frame.cpp
index 3d12f88fbeeb7f62458c99fac27c458131a1afc6..95a0e4190b5745f3b6fdb81b52b2b1538f49d54c 100644
--- a/third_party/WebKit/Source/core/frame/Frame.cpp
+++ b/third_party/WebKit/Source/core/frame/Frame.cpp
@@ -204,9 +204,15 @@ bool Frame::canNavigate(const Frame& targetFrame)
         return true;
 
     if (securityContext()->isSandboxed(SandboxNavigation)) {
+        // Sandboxed frames can navigate their own children.
         if (targetFrame.tree().isDescendantOf(this))
             return true;
 
+        // They can also navigate popups, if the 'allow-sandbox-escape-via-popup' flag is specified.
+        if (targetFrame == targetFrame.tree().top() && targetFrame.tree().top() != tree().top() && !securityContext()->isSandboxed(SandboxPropagatesToAuxiliaryBrowsingContexts))
+            return true;
+
+        // Otherwise, block the navigation.
         const char* reason = "The frame attempting navigation is sandboxed, and is therefore disallowed from navigating its ancestors.";
         if (securityContext()->isSandboxed(SandboxTopNavigation) && targetFrame == tree().top())
             reason = "The frame attempting navigation of the top-level window is sandboxed, but the 'allow-top-navigation' flag is not set.";