And now that I've looked at the GH issue I see that you've already run this code from Gusted so I guess it's safe?
Bug 1706787 Comment 5 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
And now that I've looked at the GH issue I see that you've already run this code from Gusted so I guess it's safe? The node script is 7 lines -- that's small enough to see that it's safe. when the GH issue talked about "hardened" sites I imagined lots of impenetrable library code. I'm going to delete my previous comment because I missed the point entirely. _both_ injections are into the <head>. Both should be allowed because it's an extension doing the injecting. The difference is that one _IS_ empty in the sense I thought you meant originally. It shouldn't matter, but it does. (Is it empty, or is it an initialization problem? if we explicitly set `textContent = "";`, which should be the default, does the error go away?) Why would an empty or uninitialized textContent even matter? CSP shouldn't care _what_ is in the node; decisions are made based on where it is (in this case "inline") and who created it (an extension, not limited by the page's CSP), not what's in it.