That uses a different manifest permission.
https://developer.chrome.com/blog/crx-scripting-api#breaking...
That's remotely hosted code...also a problem, but you can inject code that's not remotely hosted.
alt Hacker News
That's remotely hosted code...also a problem, but you can inject code that's not remotely hosted.