Restrict app sandbox's CSP to disallow loading web content in them.

chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html

+This page should be sandboxed.
+
+<script>
+// We're not served with the extension default CSP, we can use inline script.
+
+// Loading status of frames, keyed by frame's url.
+var frameLoadStatus = {};
+
+var updateFrameLoadStatus = function(fileName, succeeded) {
+  if (frameLoadStatus[fileName].completed)
+    return;
+  frameLoadStatus[fileName].completed = true;
+  var mainWindow = window.opener || window.top;
+  mainWindow.postMessage(JSON.stringify(['loaded', url, succeeded]), '*');
+};
+
+var loadIframe = function(url, fileName) {
+  var iframe = document.createElement('iframe');
+  iframe.src = url;
+  frameLoadStatus[fileName] = {completed: false};
+  document.body.appendChild(iframe);
+  // The frame load will fail for remote frames in this test because of CSP.
+  // I couldn't find a better way than setTimeout to detect that :(.

[Devlin, 2016/12/20 17:36:38]

Can we verify this in the C++ instead?

Timeouts in JS basically don't work on slow bots, like Dr Memory.

[lazyboy, 2016/12/22 03:07:29]

I've changed to test a bit to not rely on timeouts:
load local_frame.html in frame element
send 'ping' local_frame.html
receive 'pong' from local_frame.html
load remote_frame.html in the same iframe element^^^
send 'ping'
still receive 'pong' from local_frame.html, i.e. remote frame didn't load.

+  setTimeout(function() {
+    updateFrameLoadStatus(fileName, false);
+  }, 2000);
+};
+
+onmessage = function(e) {
+  var command = JSON.parse(e.data);
+  switch (command[0]) {
+    case 'load':
+      // message from main app window.
+      url = command[1];
+      fileName = command[2];
+      loadIframe(url, fileName);
+      break;
+    case 'loaded':
+      // message from subframe.
+      fileName = command[1];
+      updateFrameLoadStatus(fileName, true);
+      break;
+  }
+};
+</script>