Workarounding the "remote code execution" constraint
Firefox has done it before Chrome some time ago: most addons evaluating Javascript code which is not included in the addon package will get a very hard time from Firefox reviewers. Currently, it is still possible with Chromium based browsers. However and webstore-wise there is a strong chance for your addon to stay significantly longer in the "pending review" status (weeks?) if the review system detects any sign or evidence of remote code execution. With the arrival of manifest V3 (currently under development) , calls to eval("jscode") , new Function("jscode") and chrome.tabs.executeScript({code: "jscode")) won't work anymore. Let's face it, there is no solution to this problem and this will impact all the scripting addons, among them the famous TamperMonkey with 10M+ users... but you can still benefit of the JS syntax and (partially) workaround those limitations in certain situations. Here is how... What if you used a sandboxed js inte