I’m developing a browser extension that enables users to run custom JavaScript code, i.e., code submitted by them, on webpages they specify. I’m developing this extension on Manifest V3. Since Manifest V3 prohibits methods that evaluate a string as code, I can’t use eval() or Function for that purpose. What is the standard approach to take user-submitted code and evaluate it from a content script on pages that they specify?
So far, I have been using setTimeout(my_code, 0) to evaluate user-submitted code, where my_code is a string containing the code to be evaluated. The first argument of this method is supposed to be a function, but when a string is submitted, it evaluates that string as JavaScript code for backward compatibility. This works well on most websites but fails on some websites due to strict CSP policies. I would like a method that is guaranteed to work safely on all websites regardless of their CSP policies.