0

I'm developing a browser extension that enables users to run custom JavaScript code, i.e., code submitted by them, on webpages they specify. I'm developing this extension on Manifest V3. Since Manifest V3 prohibits methods that evaluate a string as code, I can't use eval() or Function for that purpose. What is the standard approach to take user-submitted code and evaluate it from a content script on pages that they specify?

So far, I have been using setTimeout(my_code, 0) to evaluate user-submitted code, where my_code is a string containing the code to be evaluated. The first argument of this method is supposed to be a function, but when a string is submitted, it evaluates that string as JavaScript code for backward compatibility. This works well on most websites but fails on some websites due to strict CSP policies. I would like a method that is guaranteed to work safely on all websites regardless of their CSP policies.

Improve this question
2
  • You might find some information here: medium.com/geekculture/… Commented Oct 25, 2024 at 14:06
  • It might be easier to use an existing userscript manager unless you need to implement some kind of novel feature that isn't mentioned in your question. Commented Oct 25, 2024 at 15:05
Related questions
12225
How can I remove a specific item from an array in JavaScript?
7580
How do I remove a property from a JavaScript object?
3365
Why does my JavaScript code receive a "No 'Access-Control-Allow-Origin' header is present on the requested resource" error, while Postman does not?
Load 4 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.