I have an html file bundled with an extension, that serves as a skeleton for the document in which I would like to show (insert into) remote html snippets and/or images. I understand that opening a tab to this file with an extension url (obtained from browser.runtime.getURL()) and inserting into that would not be safe, since the page has extension level permissions.
Then I tried getting the source of the file with XmlHttpRequest, which works fine. Then, from this source, I have tried to create either and object URL or a data URL. The former does not seem to work properly for html mime type (works for txt though). The data URL route works as far as opening the page, but I don’t seem to be able to add contentscript to it using tabs.executeScript() (I can add scripts to other tabs fine).
Is this a viable way to do it and I am missing something? If not, how can I safely insert remote HTML/images into an html file bundled with an extension so that I can manipulate the page using JS? If HTML cannot be inserted safely, is it safe to insert plain text (I would think so) and images (I don’t know about this one) to a page loaded from an extension URL?