Restrict app sandbox's CSP to disallow loading web content in them.

chrome/test/data/extensions/api_test/sandboxed_pages_csp/main.js

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var LOCAL_FILE_NAME = 'local_frame.html';
+var REMOTE_FILE_NAME = 'remote_frame.html';
+
+onmessage = function(e) {
+  var data = JSON.parse(e.data);
+  var message = data[0];
+  if (message != 'loaded')
+    return;
+
+  var loadedFileName = data[1];
+  var succeeded = data[2];
+  var expectSuccess = loadedFileName === LOCAL_FILE_NAME;
+  chrome.test.assertEq(expectSuccess, succeeded);
+  chrome.test.succeed();
+};
+
+var loadIframeContentInSandboxedPage = function(url, fileName) {
+  var sandboxedFrame = document.createElement('iframe');
+  sandboxedFrame.src = 'sandboxed.html';
+  sandboxedFrame.onload = function() {
+    sandboxedFrame.contentWindow.postMessage(
+        JSON.stringify(['load', url, fileName]), '*');
+    sandboxedFrame.onload = null;
+  };
+  document.body.appendChild(sandboxedFrame);
+};
+
+onload = function() {
+  chrome.test.getConfig(function(config) {
+    chrome.test.runTests([
+      function sandboxedFrameLocalContentPasses() {
+        // Response is received in |onmessage|.
+        loadIframeContentInSandboxedPage(LOCAL_FILE_NAME, LOCAL_FILE_NAME);
+      },
+      function sandboxedFrameWebContentFails() {
+        var url = 'http://localhost:' + config.testServer.port +
+            '/extensions/api_test/sandboxed_pages_web_content/' +
+            REMOTE_FILE_NAME;
+        // Response is received in |onmessage|.
+        loadIframeContentInSandboxedPage(url, REMOTE_FILE_NAME);
+      }
+    ]);
+  });
+};