1) You
cannot create a
remote script tag due to extension CSP.
2) But you can create a local extension-bundled script tag. This local script will run in the page context, which will be subject to the web page's CSP.
3) You can also call `scripting.executeScript({world: "MAIN"}) to do the same thing as (2).
4) If the page's CSP allows it, the script running in page context can then create a remote script tag that loads your remotely hosted code, albeit that would likely violate Chrome Web Store's policy.
I wonder:
1) Does allowing loading remote code from page context present a security risk? My guess is yes. A compromised server will allow bad actors to serve malicious code to extension users' computers that collect data, steal session tokens, popup ads or phish for credentials.
2) If I were a Chrome Dev, how would I go about closing this loophole? Enforcing it after the fact is impractical. There doesn't seem to be a "proper" way to do this that relies solely on the controls provided by CSPs and extension permissions, since fundamentally, code executed in page context falls outside of the extension's security purview. Nobody likes hacks, but I think what has to be done is that extension-hosted scripts executed in page context will have to be subject to a modified page's CSP that forbids remote script-src's.