Restrict app sandbox's CSP to disallow loading web content in them.

extensions/common/manifest_handlers/csp_info_unittest.cc

Index: extensions/common/manifest_handlers/csp_info_unittest.cc
diff --git a/extensions/common/manifest_handlers/csp_info_unittest.cc b/extensions/common/manifest_handlers/csp_info_unittest.cc
index e6698fa2a41a2c4c178cb29cc42e21e36465c745..d2621ff3a7d4e5b8171e985f217f84ee0122af7e 100644
--- a/extensions/common/manifest_handlers/csp_info_unittest.cc
+++ b/extensions/common/manifest_handlers/csp_info_unittest.cc
@@ -34,12 +34,13 @@ TEST_F(CSPInfoUnitTest, SandboxedPages) {
       LoadAndExpectSuccess("sandboxed_pages_valid_5.json"));
 
   const char kSandboxedCSP[] =
-      "sandbox allow-scripts allow-forms allow-popups allow-modals";
+      "sandbox allow-scripts allow-forms allow-popups allow-modals; "
+      "script-src 'self' 'unsafe-inline' 'unsafe-eval'; child-src 'self';";
   const char kDefaultCSP[] =
       "script-src 'self' blob: filesystem: chrome-extension-resource:; "
       "object-src 'self' blob: filesystem:;";
   const char kCustomSandboxedCSP[] =
-      "sandbox; script-src: https://www.google.com";
+      "sandbox; script-src 'self'; child-src 'self';";
 
   EXPECT_EQ(kSandboxedCSP, CSPInfo::GetResourceContentSecurityPolicy(
                                extension1.get(), "/test"));