A lot of extensions are using
eval, which is a bad idea. We block this through a CSP, except in content-scripts.
AFAIU we feel uncomfortable blocking
eval in content scripts, due to the prevalence of
eval in existing add-ons and widely used frontend frameworks.
eval and much less popular. So I'd like to explore the idea of disallowing dynamic import of data URLs in content-scripts before there is adoption.
The idea is to add a check in the implementation of import such that we check the current global (e.g., whether we are in a content-script) and throw for resources starting with 'data'.
I'm filing this as a security bug, not to alert malicious add-on authors. But there's no immediate risk here (as reflected in the
sec-other security rating).