According to my little research you can insert script tags, but you can only use the scripts which are bundled inside the extension. It's still not clear to me what prevents this script to download external script using AJAX which will execute whatever user wants (e.g. some cloud userscript service).

Also for power users it should not be a problem at all. Just create your own extension which is literally few simple files and put your userscripts inside that extension. Then load this extension from the chrome and voila.

> It's still not clear to me what prevents this script to download external script using AJAX which will execute whatever user wants

If you read the MV3 migration guide you’ll quickly realize why. CSP script-src is restricted to self, none, or localhost sources for all non-sandbox pages, content scripts included.

https://developer.chrome.com/docs/extensions/mv3/mv3-migrati...

No, CSP doesn’t allow you to download scripts from an external source. That’s the point of the CSP.

Since one of the parent comments mentioned AJAX, I'll add that you'll also be prevented from eval'ing that payload.

Yes, I should have been more clear: CSP doesn’t allow you to download an external script and execute it, which requires unsafe-eval.

Sounds like your exception will need to become a language interpreter itself.

Does manifest v3 support wasm?

Time to package a JavaScript interpreter into wasm and run it within the extension.

You still can just write your userscript as an extension. I just checked - it works. I inserted script into HN and did some stuff.

I never said you can’t.

Can you pass data between script and extension? Implementing JS or lua should be possible.

Yes - I have done this in an MV3 extension. You can basically re-implement your own runtime and download the code and run it there instead of using eval/script tags.

It's very inefficient and it's a pain to write, but it is possible.

I suspect they will not approve extensions that do this if it becomes popular.