Prevent 'javascript:' URL execution in sandboxed frame.

third_party/WebKit/LayoutTests/http/tests/security/sandboxed-iframe-javascript-url.html

Index: third_party/WebKit/LayoutTests/http/tests/security/sandboxed-iframe-javascript-url.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/sandboxed-iframe-javascript-url.html b/third_party/WebKit/LayoutTests/http/tests/security/sandboxed-iframe-javascript-url.html
new file mode 100644
index 0000000000000000000000000000000000000000..bb30ccccb1f1224be04a943172c5c8466a7b9af7
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/http/tests/security/sandboxed-iframe-javascript-url.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<body>
+<script>
+    async_test(t => {
+        var i = document.createElement('iframe');
+        i.setAttribute("sandbox", "allow-scripts");
+        i.setAttribute("src", "javascript:top.postMessage('fail', '*');");
+        window.addEventListener(
+            "message",
+            t.unreached_func("The sandboxed 'javascript:' URL should not execute."));
+
+        document.body.appendChild(i);
+
+        // TODO(mkwst): I would love a better test here, but I don't know how else to
+        // verify that the script _doesn't_ execute.
+        setTimeout(t.done.bind(t), 250);
+    }, "JavaScript URLs in sandboxed iframes should not execute, as the origin is distinct from its opener.");
+</script>