Doc server manifest page generation

chrome/common/extensions/docs/templates/articles/manifest/sandbox.html

Index: chrome/common/extensions/docs/templates/articles/manifest/sandbox.html
diff --git a/chrome/common/extensions/docs/templates/articles/manifest/sandbox.html b/chrome/common/extensions/docs/templates/articles/manifest/sandbox.html
new file mode 100644
index 0000000000000000000000000000000000000000..64876d9212178f6762314d29dfae1db7168019f8
--- /dev/null
+++ b/chrome/common/extensions/docs/templates/articles/manifest/sandbox.html
@@ -0,0 +1,67 @@
+<h1 id="sandbox">Manifest - Sandbox</h1>
+
+<p>
+Defines an collection of app or extension pages that are to be served
+in a sandboxed unique origin, and optionally a Content Security Policy to use
+with them. Being in a sandbox has two implications:
+</p>
+
+<ol>
+<li>A sandboxed page will not have access to extension or app APIs, or
+direct access to non-sandboxed pages (it may communicate with them via
+<code>postMessage()</code>).</li>
+<li>
+  <p>A sandboxed page is not subject to the
+  <a href="http://developer.chrome.com/extensions/contentSecurityPolicy.html">Content Security Policy
+  (CSP)</a> used by the rest of the app or extension (it has its own separate
+  CSP value). This means that, for example, it can use inline script and
+  <code>eval</code>.</p>
+
+  <p>For example, here's how to specify that two extension pages are to be
+  served in a sandbox with a custom CSP:</p>
+
+  <pre class="prettyprint"><span class="pun">{</span><span class="pln">
+  </span><span class="pun">...</span><span class="pln">
+  </span><span class="str">"sandbox"</span><span class="pun">:</span><span class="pln"> </span><span class="pun">{</span><span class="pln">
+    </span><span class="str">"pages"</span><span class="pun">:</span><span class="pln"> </span><span class="pun">[</span><span class="pln">
+      </span><span class="str">"page1.html"</span><span class="pun">,</span><span class="pln">
+      </span><span class="str">"directory/page2.html"</span><span class="pln">
+    </span><span class="pun">]</span><span class="pln">
+    </span><i><span class="com">// content_security_policy is optional.</span></i><span class="pln">
+    </span><span class="str">"content_security_policy"</span><span class="pun">:</span><span class="pln">
+        </span><span class="str">"sandbox allow-scripts; script-src https://www.google.com"</span><span class="pln">
+  </span><span class="pun">],</span><span class="pln">
+  </span><span class="pun">...</span><span class="pln">
+</span><span class="pun">}</span></pre>
+
+  <p>
+  If not specified, the default <code>content_security_policy</code> value is
+  <code>sandbox allow-scripts allow-forms</code>. You can specify your CSP
+  value to restrict the sandbox even further, but it must have the <code>sandbox</code>
+  directive and may not have the <code>allow-same-origin</code> token (see
+  <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox">the
+  HTML5 specification</a> for possible sandbox tokens).
+  </p>
+</li>
+</ol>
+
+<p>
+Note that you only need to list pages that you expected to be loaded in
+windows or frames. Resources used by sandboxed pages (e.g. stylesheets or
+JavaScript source files) do not need to appear in the
+<code>sandboxed_page</code> list, they will use the sandbox of the page
+that embeds them.
+</p>
+
+<p>
+<a href="http://developer.chrome.com/extensions/sandboxingEval.html">"Using eval in Chrome Extensions. Safely."</a>
+goes into more detail about implementing a sandboxing workflow that enables use
+of libraries that would otherwise have issues executing under extension's
+<a href="http://developer.chrome.com/extensions/contentSecurityPolicy.html">default Content Security
+Policy</a>.
+</p>
+
+<p>
+Sandboxed page may only be specified when using
+<a href="http://developer.chrome.com/extensions/manifest.html#manifest_version"><code>manifest_version</code></a> 2 or above.
+</p>