chromium/chrome/test/data/extensions/api_test/sandboxed_pages_csp/sandboxed.html

This page should be sandboxed.

<script>
// We're not served with the extension default CSP, we can use inline script.

var sendResponse = function(msg) {
  var mainWindow = window.opener || window.top;
  mainWindow.postMessage(msg, '*');
};

var remote_frame_loaded = false;
window.addEventListener('securitypolicyviolation', function(e) {
  if (remote_frame_loaded)
    sendResponse('succeeded');
  else
    sendResponse('failed');
});

var loadFrameExpectResponse = function(iframe, url) {
  var identifier = performance.now();
  return new Promise(function(resolve, reject) {
    window.addEventListener('message', function(e) {
      var data = JSON.parse(e.data);
      if (data[0] == 'local frame msg' && data[1] == identifier) {
        resolve();
      } else {
        reject();
      }
    });
    iframe.onerror = reject;
    iframe.onload = function() {
      iframe.contentWindow.postMessage(
          JSON.stringify(['sandboxed frame msg', identifier]), '*');
    };
    iframe.src = url;
  });
};

var runTestAndRespond = function(localUrl, remoteUrl) {
  var iframe = document.createElement('iframe');

  // First load local resource in |iframe|, expect the local frame to respond.
  loadFrameExpectResponse(iframe, localUrl).then(function() {
    // Then load remote resource in |iframe|, expect the navigation to be
    // blocked by the Content-Security-Policy.
    // Rely on the SecurityPolicyViolationEvent to detect that the frame has
    // been blocked.
    remote_frame_loaded = true;
    iframe.src = remoteUrl;
  });
  document.body.appendChild(iframe);
};

onmessage = function(e) {
  var command = JSON.parse(e.data);
  if (command[0] == 'load') {
    var localUrl = command[1];
    var remoteUrl = command[2];
    runTestAndRespond(localUrl, remoteUrl);
  }
};

</script>