There seems to be a conflict between what PayPal considers secure use of its APIs and what Mozilla considers a security risk for plugins listed on its addons.mozilla.org site:
PayPal clearly states that its .js libraries SHOULD NOT be hosted locally so that the latest version (containing their latest security fixes) is always directly fetched from THEIR server. (APIs like their “Smart Buttons” then rely on dynamically generated files - see https://www.paypal.com/sdk/js - that cannot even be hosted locally).
In order to add some “buy license” option in a “Firefox extension” the most logical thing to do would seem to directly use a respective PayPal API on the options page. And using a
"content_security_policy": "script-src 'self' https://www.paypal.com; object-src 'self'",
in the manifest.json would seem to be the most sensible thing to allow direct use of the PayPal API… unless you think that PayPal is an inherently malicious / dangerous site. But from what I understand (see https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy#exampleNote_1) this is apparently considered a major security issue by Mozilla and therefore not allowed… seriously?
So what is Mozilla’s recommended “secure” way to integrate “PayPal payment” functionality into a plugin’s options such that a plugin can detect if a payment has been made - so that it can automatically register the purchased license key?