I'd rather than extension authors used scripts from their extension package.  Injecting an inline script is likely to lead to XSS.

(In reply to comment #1)
> I'd rather than extension authors used scripts from their extension package.  Injecting an inline script is likely to lead to XSS.

What about out-of-line scripts hosted on origins that the extension's CSP allows? I think we're currently blocking those as well.

Unassigning myself; let's be realistic about what I'm actually working on. :/

This issue was resolved with the patch for bug #144830.

(In reply to comment #4)
> This issue was resolved with the patch for bug #144830.

Disregard this remark. Following the patch for bug #144830 subresource loads/JavaScript execution initiated from markup always honor the Content Security Policy of the page regardless of whether such markup was programmatically inserted into the document from an isolated world. That is, markup injected by an extension is not exempt from the Content Security Policy of the page (programmatic resource fetching, say via XHR, is exempt from CSP when initiated in an isolated world). As of the time of writing, we have not heard of any compatibility issues in Safari extension from this change.

For completeness, the patch for bug #144830 did exempt user agent shadow DOM markup from CSP because such markup is used to implement browser features and is considered an implementation detail.

I marked this issue RESOLVED WONTFIX because I do not feel we should fix this bug as it encourages a bad idiom. I agree with Adam Barth's remarked in comment #1, we want extension authors to use scripts included in their extension bundle as opposed to programmatically injecting inline script that could make the page susceptible to an XSS vulnerability.