Injecting iframes (cross) in Chrome v3 Extension with Differing Origins

[Cristiano Lopes]

I am building a Chrome v3 extension. In this extension, when the user opens a specific page, for example, "https://example.com," a script will be executed to inject an iframe (overlay) from a site they have registered, such as https://www.instagram.com. Since I don't have control over the Instagram site, it's highly likely to trigger a "violates the following Content Security Policy" error. Is it possible for me to do this?

The reason is that the user needs to copy specific information without constantly switching between tabs

[wOxxOm]

There are two methods: 

1. add an intermediate web_accessible_resources iframe of your own extension, then add the target iframe inside (example), you'll also need to strip the header that denies embedding (example).
   
2. strip the CSP header of the parent site - as this reduces site's security, this is forbidden to be used by default in some extension stores e.g. in addons.mozilla.com, dunno about Chrome's.
   

There will be still a problem left with storage/cookie partitioning: https://crbug.com/40287010.