From the Add-on Policies, Development Practices:
- Add-ons must be self-contained and not load remote code for execution.
Is this referring to JavaScript only, or are CSS and HTML also included under the term “code for execution”?
The point of that policy is to prevent addon from changing behavior after it’s been approved and released.
(for example if your server suddenly returns a different code that will be injected into each page to steal passwords or inject ads)
Then there is privacy - your addon should not contact any server without user knowledge. That’s why all HTML/CSS files should be part of the addon.
And lastly, the CSS is not really executed, it’s a list of style rules, so that should be fine.
HTML is a bit more tricky though since HTML “injection” using “innerHTML” and similar API is forbidden:
Maybe describe more what exactly are you trying to build? 
Thank you for your answer. I am writing an extension that has little UI except for a modal dialog that appears on error. I was thinking of loading CSS and HTML remotely so that I wouldn’t need to release an extension update each time I decide to change the layout.
That specific use-case is forbidden 
.
Note that usually only the first addon release is manually reviewed, and all subsequent updates are super fast.
So you can release new version within minutes. You can also disable existing version if you release some buggy one (and the previous release will stay available).