with manifest v3 csp changes, the sandbox functionality becomes important as a way to allow extensions to continue using javascript frameworks that still use eval or other eval-like constructs. We should support sandbox for those use cases.

https://developer.chrome.com/docs/extensions/mv3/manifest/sandbox/

This bug is going on hold for now, we will revisit whether we want to support sandbox sometime down the road. part 1 might be something we split out to its own bug.

Comment on attachment 9195509 [details]
Bug 1685123 part 1: sandboxed extensions pages are allowed to load their own resources

Revision D100834 was moved to bug 1700762. Setting attachment 9195509 [details] to obsolete.

Would this sandbox allow for extensions that do browser automation, i.e. extensions that can execute Javascript received from a (trusted) native application? It is currently possible to have a native application send Javascript code for an extension to execute, which is mighty useful. It is code existing on the user's computer, sent to the Firefox extension by a native application that already has local execution privileges, so there is no real escalation of privileges by the extension's ability to do eval, as I understand it. (Eval is currently needed for that in combination with native messaging.)