I can't believe that I'm asking this right now, but I have no idea how solve the following problem:
I have a web app that logs every visited page in a browser for better browser history search. The extension is a chrome extension that needs to make a POST request to my API. Obviously, I need to avoid CSRF issues, i.e. other sites using the user's session to post arbitrary data to his browser history. However, since the extension runs in a different origin as a content-script, I cannot retrieve CSRF tokens, hence I cannot make authenticated POST requests.
EDIT:
So I now know that I can use chrome.storage (and equivalents in other browsers) to store a token that only my content_script can read. However, I still haven't solved the issue of how getting that token into chrome.storage in the first place
I seem to miss something really obvious ...
FYI, I realized that chrome.storage provides a means to sync/pass confidential data like your token that is only accessible to your scripts.
Hence, the solution is to visit a webpage of yours, and have a content script extract the token and store it in chrome.storage.