Restrict app sandbox's CSP to disallow loading web content in them.

chrome/common/extensions/docs/templates/articles/manifest/sandbox.html

 <h1 id="sandbox">Manifest - Sandbox</h1>
 
 <p>
+<b><em>Warning:</em></b> Starting version 57, Chrome will no longer load

[Devlin, 2016/12/28 16:42:37]

nitty nit: starting *in* version 57

[lazyboy, 2016/12/28 19:14:09]

Done.

+external web content or web scripts inside sandboxed pages in favor of

[Devlin, 2016/12/28 16:42:37]

nitty nit:
maybe:
"Starting in version 57, Chrome will no longer allow external web content
(including embedded frames and scripts) inside sandboxed pages.  Please use a <a
...>webview</a> instead."

WDYT?

[lazyboy, 2016/12/28 19:14:09]

Done.

+existing secure alternative:
+<a href="https://developer.chrome.com/apps/webview_tag">webview</a>.
+</p>
+
+<p>
 Defines an collection of app or extension pages that are to be served
 in a sandboxed unique origin, and optionally a Content Security Policy to use
 with them. Being in a sandbox has two implications:
 </p>
 
 <ol>
 <li>A sandboxed page will not have access to extension or app APIs, or
 direct access to non-sandboxed pages (it may communicate with them via
 <code>postMessage()</code>).</li>
 <li>
   <p>A sandboxed page is not subject to the
   <a href="http://developer.chrome.com/extensions/contentSecurityPolicy">Content Security Policy
   (CSP)</a> used by the rest of the app or extension (it has its own separate
   CSP value). This means that, for example, it can use inline script and
   <code>eval</code>.</p>
 
   <p>For example, here's how to specify that two extension pages are to be
   served in a sandbox with a custom CSP:</p>
 
   <pre data-filename="manifest.json">
 {
   ...
   "sandbox": {
     "pages": [
       "page1.html",
       "directory/page2.html"
     ]
     // content_security_policy is optional.
     "content_security_policy":
-        "sandbox allow-scripts; script-src https://www.google.com"
+        "sandbox allow-scripts; script-src 'self'"
   ],
   ...
 }
 </pre>
   
   <p>
   If not specified, the default <code>content_security_policy</code> value is
-  <code>sandbox allow-scripts allow-forms</code>. You can specify your CSP
-  value to restrict the sandbox even further, but it must have the <code>sandbox</code>
+  <code>sandbox allow-scripts allow-forms allow-popups allow-modals;
+    script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';</code>.
+  You can specify your CSP value to restrict the sandbox even further,
+  but it must have the <code>sandbox</code>
   directive and may not have the <code>allow-same-origin</code> token (see

[Devlin, 2016/12/28 16:42:37]

maybe "but it must have the sandbox directive, and may not have the
allow-same-origin token or allow external web content" or something like that?

[lazyboy, 2016/12/28 19:14:09]

This sentence is talking about directives values of sandbox directive, so I've
put the caution about loading external web content in the next sentence.

   <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox">the
   HTML5 specification</a> for possible sandbox tokens).
   </p>
 </li>
 </ol>
 
 <p>
 Note that you only need to list pages that you expected to be loaded in
 windows or frames. Resources used by sandboxed pages (e.g. stylesheets or
 JavaScript source files) do not need to appear in the
 <code>sandboxed_page</code> list, they will use the sandbox of the page
 that embeds them.
 </p>
 
 <p>
 <a href="http://developer.chrome.com/extensions/sandboxingEval">"Using eval in Chrome Extensions. Safely."</a>
 goes into more detail about implementing a sandboxing workflow that enables use
 of libraries that would otherwise have issues executing under extension's
 <a href="http://developer.chrome.com/extensions/contentSecurityPolicy">default Content Security
 Policy</a>.
 </p>
 
 <p>
 Sandboxed page may only be specified when using
 <a href="http://developer.chrome.com/extensions/manifest#manifest_version"><code>manifest_version</code></a> 2 or above.
 </p>