Yeah, I know I have content scripts. The thing is that I want a single code base for “web version” (shich of course needs setting CORS headers on the remote) and the extension. And of course content scripts are available only in the extensions API, not in the basic web app.
I could replace eval with injecting script
tags, I guess, but I see absolutely no difference here in terms of security.
DOM manipulation can be too heavy in terms of code when you need to create large nested structures of elements, such as table rows with cells inside them and links and icons inside that cells, for example, no?
Here is the manifest contents:
{
"manifest_version": 2,
"name": "Lightning",
"version": "1.0.0j",
"icons": {
"128": "icons/icon128.png",
"16": "icons/icon16.png",
"48": "icons/icon48.png"
},
"content_scripts": [
{
"matches": [ "<all_urls>" ],
"css": [ "styles/baloon.css" ],
"js": [ "includes/script.js" ]
}
],
"options_ui": {
"open_in_tab": true,
"page": "options.html"
},
"background": {
"scripts": ["js/background.js"]
},
"permissions": [
"storage",
"tabs"
],
"web_accessible_resources": [
"<all_urls>",
"icons/*"
],
"content_security_policy": "script-src 'self' 'unsafe-eval'; object-src 'self'",
"browser_action": {
"default_title": "Lightning",
"default_icon": "icons/icon.png",
"default_popup": "popup.html"
}
}