PlzNavigate: Enforce 'frame-src' CSP on the browser.

chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html

Index: chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html
diff --git a/chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html b/chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html
index ac13d0bb80ef380059c4aa4d3e6e7f6a3084ceea..6f2cd359d046973c91109f3804d87fe73573b04f 100644
--- a/chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html
+++ b/chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html
@@ -3,6 +3,19 @@ This page should be sandboxed.
 <script>
 // We're not served with the extension default CSP, we can use inline script.
 
+var sendResponse = function(msg) {
+  var mainWindow = window.opener || window.top;
+  mainWindow.postMessage(msg, '*');
+};
+
+var remote_frame_loaded = false;
+window.addEventListener('securitypolicyviolation', function(e) {
+  if (remote_frame_loaded)
+    sendResponse('succeeded');
+  else
+    sendResponse('failed');
+});
+
 var loadFrameExpectResponse = function(iframe, url) {
   var identifier = performance.now();
   return new Promise(function(resolve, reject) {
@@ -25,10 +38,6 @@ var loadFrameExpectResponse = function(iframe, url) {
 
 var runTestAndRespond = function(localUrl, remoteUrl) {
   var iframe = document.createElement('iframe');
-  var sendResponse = function(msg) {
-    var mainWindow = window.opener || window.top;
-    mainWindow.postMessage(msg, '*');
-  };
 
   // First load local resource in |iframe|, expect the local frame to respond.
   loadFrameExpectResponse(iframe, localUrl).then(function() {
@@ -36,6 +45,10 @@ var runTestAndRespond = function(localUrl, remoteUrl) {
     // resource will fail to load but we'd get an iframe.onload event and the
     // local frame will still be there. Therefore, expect the local frame to
     // respond again.
+    // PlzNavigate: The first local frame has been replaced by an error page.
+    // Instead, rely on the SecurityPolicyViolationEvent to detect that the
+    // frame has been blocked.
+    remote_frame_loaded = true;
     return loadFrameExpectResponse(iframe, remoteUrl);
   }).then(function() {
     sendResponse('succeeded');