The Chrome password manager should handle correctly the CSP 'sandbox' directive.
The credential management API should be disabled. The autofill password manager should work with user mediation. That is:
- the automatic and manual "Save password?" prompts appear as usual.
- Passwords are not autofilled but filled on account select like in Incognito.

If 'sandbox allow-same-origin' specified then everything should work as usual.
As of today, Chrome on iOS ignores the directive. Chrome on other platforms disables the password manager entirely.