https://html.spec.whatwg.org/multipage/browsers.html#named-access-on-the-window-object states:

The Window interface supports named properties. The supported property names at any moment consist of the following, in tree order, ignoring later duplicates:

• the browsing context name of any child browsing context of the active document whose name is not the empty string,

So the following HTML

<body onload="console.log(xyz);">
<iframe sandbox srcdoc="<script>window.name='xyz';</script>"></iframe>
</body>

should log [Window] to the console.

However, it is weird that a cross-origin child frame can cause a named property to be set in its parent. Arguably, it is a violation of the SOP.

Today, there are several distinct behaviors:

• IE: doesn't support setting window.name to change the browsing context name.
• Firefox: records the origin ("setter origin") that set the browsing context name. If a child browsing context's setter origin is cross-origin, that browsing context does not participate in named access.
  • Chrome/Safari: exposes all names of child browsing contexts, regardless of whether or not the setter origin is cross-origin.

In order to prevent cross-origin child frames from being able to set arbitrary named properties in its parent frame, we either:

• Use IE's behavior. If they don't support this, then maybe it's OK to just make window.name read only.
• Use Firefox's behavior. The one potential disadvantage is a cross-origin child frame can cause itself to disappear from the named properties by setting its name, which could be considered acting across origin boundaries.
• Use a hybrid of IE/FF: window.name still sets the browsing context name if the child browsing context is not cross origin.