Well then, just today I found a footnote on the manifest docs <https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/content_security_policy>. It reads: Note: Valid examples display the correct use of keys in CSP. However, extensions with 'unsafe-eval', 'unsafe-inline', remote script, blob, or remote sources in their CSP are not allowed for extensions listed on addons.mozilla.org due to major security issues.
Well, as it turns out, it *is* possible to allow for user formatting without permitting eval in the CSP; the mechanism is just a rather strange one – it involves the use of content scripts via tabs.executeScript(). I suppose the restricted context of content scripts makes that safe enough for Mozilla not to dismiss out of hand. manifest.json and background.js should reflect this in the latest commit. -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/CA%2BMGA5MHM8-COM0YLj2RqEZZQ-JqNS-nfVnrArMwuYWzvH%2BQmg%40mail.gmail.com.