I was wondering if I could get some guidance in regard to inspectedWindow.eval vs tabs.executeScript. I've spent a very long time writing an extension, similar to the VueJs Dev Tools extension. Basically inspects a Nintex SmartForm to transform the debugging debugging experience.
Not knowing any different, I used tabs.executeScript to inject a 150 line content script and then inject a 2K line script into the page to assist with debugging. I've avoided any type of eval or scripting that raises security issues, I've used vanilla js and just the WebIX UI library for the panel.
I don't know the pages I'm injecting into, so I requested <all_urls> in the manifest. When I went to publish the extension, this was listed as an issue. Asking on StackOverflow about the minimum permissions to run my scripts, wOxxOm mentioned inspectedWindow.eval. It requires work to get the script and variables into the page but I'm also concerned about frame handling. It seems there can be issues with getting frames right when they only differ by #framgents, Issue 841429. I reliably inspect frames with executeScript( allFrames:true) and have quite a bit of code to get this all spliced together back in my dev tools panel.
MDN prefers executeScript. "This means you need to be very careful if you waive this protection by using eval(), and should use content scripts unless you need to use eval()."
How big a deal is the more intensive publishing with <all_urls>? I really don't want to have to rewrite this portion of code when I'm close to publishing. Does this make any difference with manifest 3? There's certainly nothing malicious in my code, so they can review it to the ends of the earth. One final question. Does it hinder the review process if I minify my code? (IP concerns)