Restrict app sandbox's CSP to disallow loading web content in them.

extensions/common/csp_validator.h

Index: extensions/common/csp_validator.h
diff --git a/extensions/common/csp_validator.h b/extensions/common/csp_validator.h
index 93676b0b8e66dcbb6f5a7d82d9ba0e337323aaf5..e4d1cb922cd8948fddb581a748b040107a7a9f9b 100644
--- a/extensions/common/csp_validator.h
+++ b/extensions/common/csp_validator.h
@@ -51,6 +51,18 @@ std::string SanitizeContentSecurityPolicy(
     int options,
     std::vector<InstallWarning>* warnings);
 
+// Given the Content Security Policy of an app sandbox page, returns the
+// effective CSP for that sandbox page.
+//
+// The effective policy restricts the page from loading external web content
+// (frames and scripts) within the page. This is done through adding 'self'
+// directive source to relevant CSP directive names.
+//
+// If |warnings| is not nullptr, any validation errors are appended to
+// |warnings|.
+std::string GetEffectiveSandoxedPageCSP(const std::string& policy,
+                                        std::vector<InstallWarning>* warnings);
+
 // Checks whether the given |policy| enforces a unique origin sandbox as
 // defined by http://www.whatwg.org/specs/web-apps/current-work/multipage/
 // the-iframe-element.html#attr-iframe-sandbox. The policy must have the