I'm developing a jetpacked add-on for a specific site. My scripts need to access a webpage scripts (via window object) and vice versa (for debugging my scripts on that certain webpages using developer console in a webpage context, so add-on debugging console won't do since it doesn't have access to webpages).
I tried using Content Scripts (the ones that loads using ContentScriptFile of sdk/page-mod or sdk/tabs), with window.wrappedJSObject but they are privileged, so they get XRayed.
I tried to use Services.scriptloader.loadSubScript in Content Script, but the only way to get Services I've found is
const { Cu } = require("chrome");
let Services = Cu.import("resource://gre/modules/Services.jsm");
but Content Scripts not having 'require' it doesn't work, so I don't know if it's suitable for my case.
The easiest way I can think of to achieve my goals is just to create <script>-tags on pages with my scripts as src, but AMO signing autovalidator says that <script>-tags are dangerous and shows me
this link, which doesn't have an answer to my question.
So, is there a legit way to create an unprivileged non-xrayed script in a webpage context in a jetpacked extension?