Restrict app sandbox's CSP to disallow loading web content in them.

chrome/test/data/extensions/api_test/sandboxed_pages_csp/main.js

Index: chrome/test/data/extensions/api_test/sandboxed_pages_csp/main.js
diff --git a/chrome/test/data/extensions/api_test/sandboxed_pages_csp/main.js b/chrome/test/data/extensions/api_test/sandboxed_pages_csp/main.js
new file mode 100644
index 0000000000000000000000000000000000000000..0057fd70c00c2f5339849a24c59f33dfcb10ca75
--- /dev/null
+++ b/chrome/test/data/extensions/api_test/sandboxed_pages_csp/main.js
@@ -0,0 +1,52 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+var LOCAL_FILE_NAME = 'local_frame.html';
+var REMOTE_FILE_NAME = 'remote_frame.html';
+
+onmessage = function(e) {
+  var data = JSON.parse(e.data);
+  var message = data[0];
+  if (message != 'loaded')
+    return;
+
+  var loadedFileName = data[1];
+  var succeeded = data[2];
+  var expectSuccess = loadedFileName === LOCAL_FILE_NAME;
+  if (expectSuccess === succeeded) {
+    chrome.test.succeed();

[Devlin, 2016/12/15 00:04:11]

optional: we could just do
chrome.test.assertEq(expectSuccess, succeeeded);
chrome.test.succeed();

And the test will fail if the assertion is wrong.
But this way works too.

[lazyboy, 2016/12/15 08:02:35]

Done.

+  } else {
+    chrome.test.fail();
+  }
+};
+
+var loadIframeContentInSandboxedPage = function(url, fileName) {
+  var sandboxedFrame = document.createElement('iframe');
+  sandboxedFrame.src = 'sandboxed.html';
+  sandboxedFrame.onload = function() {
+    sandboxedFrame.contentWindow.postMessage(
+        JSON.stringify(['load', url, fileName]), '*');
+    sandboxedFrame.onload = null;
+  };
+  document.body.appendChild(sandboxedFrame);
+};
+
+onload = function() {
+  chrome.test.getConfig(function(config) {
+    chrome.test.runTests([
+      function sandboxedFrameLocalContentPasses() {
+        // Response is received in |onmessage|.
+        loadIframeContentInSandboxedPage(LOCAL_FILE_NAME, LOCAL_FILE_NAME);
+      },
+      function sandboxedFrameWebContentFails() {
+        var url = 'http://localhost:PORT/extensions/api_test/' +
+            'sandboxed_pages_web_content/URL'.replace(

[Devlin, 2016/12/15 00:04:11]

I've seen this pattern before, but it's kind of silly.  Let's just do
var url = 'http://localhost:' + port + '/extensions/api_test/sandboxed/' +
REMOTE_FILE_NAME;

[lazyboy, 2016/12/15 08:02:35]

Done.

+                /PORT/, config.testServer.port).replace(
+                    /URL/, REMOTE_FILE_NAME);
+        // Response is received in |onmessage|.
+        loadIframeContentInSandboxedPage(url, REMOTE_FILE_NAME);
+      }
+    ]);
+  });
+};