Update the `sandbox` documentation to point to new workflow docs.

chrome/common/extensions/docs/apps/manifest.html

 <!DOCTYPE html><!-- This page is a placeholder for generated extensions api doc. Note:
     1) The <head> information in this page is significant, should be uniform
        across api docs and should be edited only with knowledge of the
        templating mechanism.
     3) All <body>.innerHTML is genereated as an rendering step. If viewed in a
        browser, it will be re-generated from the template, json schema and
        authored overview content.
     4) The <body>.innerHTML is also generated by an offline step so that this
        page may easily be indexed by search engines.
 --><html xmlns="http://www.w3.org/1999/xhtml"><head>
@@ skipping 229 matching lines @@
   "<a href="#default_locale">default_locale</a>": "<em>en</em>",
   <em>// Pick one (or none)</em>
   "<a href="browserAction.html">browser_action</a>": {...},
   "<a href="pageAction.html">page_action</a>": {...},
   "<a href="themes.html">theme</a>": {...},
   "<a href="#app">app</a>": {...},
   <em>// Add any of these that you need</em>
   "<a href="background_pages.html">background</a>": {...},
   "<a href="override.html">chrome_url_overrides</a>": {...},
   "<a href="content_scripts.html">content_scripts</a>": [...],
-  "<a href="contentSecurityPolicy.html">content_security_policy</a>": "<em>policyString</em>",
+  "<a href="../extensions/contentSecurityPolicy.html">content_security_policy</a>": "<em>policyString</em>",
   "<a href="fileBrowserHandler.html">file_browser_handlers</a>": [...],
   "<a href="#homepage_url">homepage_url</a>": "http://<em>path/to/homepage</em>",
   "<a href="#incognito">incognito</a>": "spanning" <em>or</em> "split",
   "<a href="#intents">intents</a>": {...}
   "<a href="#key">key</a>": "<em>publicKey</em>",
   "<a href="#minimum_chrome_version">minimum_chrome_version</a>": "<em>versionString</em>",
   "<a href="#nacl_modules">nacl_modules</a>": [...],
   "<a href="#offline_enabled">offline_enabled</a>": true,
   "<a href="omnibox.html">omnibox</a>": { "keyword": "<em>aString</em>" },
   "<a href="options.html">options_page</a>": "<em>aFile</em>.html",
@@ skipping 682 matching lines @@
 <h3 id="sandbox">sandbox</h3>
 <p>
 Defines an collection of app or extension pages that are to be served
 in a sandboxed unique origin, and optionally a Content Security Policy to use
 with them. Being in a sandbox has two implications:
 </p>
 <ol>
 <li>A sandboxed page will not have access to extension or app APIs, or
 direct access to non-sandboxed pages (it may communicate with them via
 <code>postMessage()</code>).</li>
-<li>A sandboxed page is not subject to the
-<a href="contentSecurityPolicy.html">Content Security Policy (CSP)</a> used
-by the rest of the app or extension (it has its own separate CSP value). This
-means that, for example, it can use inline script and <code>eval</code>.</li>
-</ol>
-<p>For example, here's how to specify that two extension pages are to be served
-in a sandbox with a custom CSP:</p>
-<pre>{
+<li>
+  <p>A sandboxed page is not subject to the
+  <a href="../extensions/contentSecurityPolicy.html">Content Security Policy (CSP)</a> used
+  by the rest of the app or extension (it has its own separate CSP value). This
+  means that, for example, it can use inline script and <code>eval</code>.</p>
+  <p>For example, here's how to specify that two extension pages are to be
+  served in a sandbox with a custom CSP:</p>
+  <pre>{
   ...
   "sandbox": {
     "pages": [
       "page1.html",
       "directory/page2.html"
     ]
     <i>// content_security_policy is optional.</i>
     "content_security_policy":
         "sandbox allow-scripts; script-src https://www.google.com"
   ],
   ...
 }</pre>
-<p>
-If not specified, the default <code>content_security_policy</code> value is
-<code>sandbox allow-scripts allow-forms</code>. You can specify your CSP
-value to restrict the sandbox even further, but it must have the <code>sandbox</code>
-directive and may not have the <code>allow-same-origin</code> token (see
-<a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox">the
-HTML5 specification</a> for possible sandbox tokens).
-</p>
+  <p>
+  If not specified, the default <code>content_security_policy</code> value is
+  <code>sandbox allow-scripts allow-forms</code>. You can specify your CSP
+  value to restrict the sandbox even further, but it must have the <code>sandbox</code>
+  directive and may not have the <code>allow-same-origin</code> token (see
+  <a href="http://www.whatwg.org/specs/web-apps/current-work/multipage/the-iframe-element.html#attr-iframe-sandbox">the
+  HTML5 specification</a> for possible sandbox tokens).
+  </p>
+</li>
+</ol>
 <p>
 Note that you only need to list pages that you expected to be loaded in
 windows or frames. Resources used by sandboxed pages (e.g. stylesheets or
 JavaScript source files) do not need to appear in the
 <code>sandboxed_page</code> list, they will use the sandbox of the page
 that embeds them.
 </p>
 <p>
+<a href="sandboxingEval.html">"Using eval in Chrome Extensions. Safely."</a>
+goes into more detail about implementing a sandboxing workflow that enables use
+of libraries that would otherwise have issues executing under extension's
+<a href="../extensions/contentSecurityPolicy.html">default Content Security Policy</a>.
+</p>
+<p>
 Sandboxed page may only be specified when using
 <a href="#manifest_version"><code>manifest_version</code></a> 2 or above.
 </p>
 </div>
         <!-- API PAGE -->
          <!-- /apiPage -->
       </div> <!-- /gc-pagecontent -->
     </div> <!-- /g-section -->
   </div> <!-- /codesiteContent -->
     <div id="gc-footer" --="">
@@ skipping 32 matching lines @@
     _uff=0;
     urchinTracker();
   }
   catch(e) {/* urchinTracker not available. */}
 </script>
 <!-- end analytics -->
       </div>
     </div> <!-- /gc-footer -->
   </div> <!-- /gc-container -->
 </body></html>