Restrict app sandbox's CSP to disallow loading web content in them.

extensions/common/csp_validator.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef EXTENSIONS_COMMON_CSP_VALIDATOR_H_
 #define EXTENSIONS_COMMON_CSP_VALIDATOR_H_
 
 #include <string>
 
 #include "extensions/common/manifest.h"
@@ skipping 33 matching lines @@
 //
 // |options| is a bitmask of Options.
 //
 // If |warnings| is not NULL, any validation errors are appended to |warnings|.
 // Returns the sanitized policy.
 std::string SanitizeContentSecurityPolicy(
     const std::string& policy,
     int options,
     std::vector<InstallWarning>* warnings);
 
+// Given the Content Security Policy of an app sandbox page, returns the
+// effective CSP for that sandbox page.
+//
+// The effective policy restricts the page from loading external web content
+// (frames and scripts) within the page. This is done through adding 'self'
+// directive source to relevant CSP directive names.
+//
+// If |warnings| is not nullptr, any validation errors are appended to
+// |warnings|.
+std::string GetEffectiveSandoxedPageCSP(const std::string& policy,
+                                        std::vector<InstallWarning>* warnings);
+
 // Checks whether the given |policy| enforces a unique origin sandbox as
 // defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/
 // the-iframe-element.html#attr-iframe-sandbox. The policy must have the
 // "sandbox" directive, and the sandbox tokens must not include
 // "allow-same-origin". Additional restrictions may be imposed depending on
 // |type|.
 bool ContentSecurityPolicyIsSandboxed(
     const std::string& policy, Manifest::Type type);
 
 }  // namespace csp_validator
 
 }  // namespace extensions
 
 #endif  // EXTENSIONS_COMMON_CSP_VALIDATOR_H_