Webauthn doesn’t work in iframes so I want to redirect user from my extension’s signin page to my website’s signin page and then back to extension like this:
Sign in page of my extension
moz-extension://105c5ced/signin.html
You mean by executing remote script? I don’t think so. Only if your remote page would be able to control your extension or if you were executing javascript hosted outside of your extension inside of your extension.
The whole idea here is that your extension should behave consistently - so not being able to turn malicious simply by changing some remote javascript file.
This is essentially what an OAuth flow (even though this is probably a non-standard flow) would look like. So far OAuth flows have been accepted in extensions.