from what I've researched here in the community, adding the code below to manifest.json should at least allow exceptions for scripts in the whitelist, but it seems like it's no longer allowed to use injected, except if the scripts are added by src tag. Could someone help me confirm because I can't find anything in the documentation (or I didn't look it right in the API)
manifest.json:
...
,"content_security_policy": {
"extension_pages": "default-src 'self'; script-src 'self' https://example.com;",
"sandbox": "sandbox default-src 'self';"
}
...
I just posted and found the answer right after... as I didn't find anything on the forum, I'll leave it there in case anyone has doubts:
... MV3 disallows certain CSP modifications for extension_pages that were permitted in MV2. The script-src, object-src, and worker-src directives may only have the following values:
self none Any localhost source, (http://localhost, http://127.0.0.1, or any port on those domains) CSP modifications for sandbox have no such new restrictions. ...
https://developer.chrome.com/docs/extensions/mv3/intro/mv3-migration/#content-security-policy
Therefore, just by an injection like:
const node = document.createElement('script');
node.src = chrome.runtime.getURL('./script.js');
node.onload = function(){ this.remove() };
(document.head || document.documentElement).appendChild(node);