This is not uncommon, a number of extensions do this, so I don’t expect you to be rejected if you are careful. However, do keep an eye on the new CSP (Content Security Policy) changes, which may impact this functionality in the future: https://mikewest.org/2011/10/secure-chrome-extensions-content-security-policy

As of now, there are a few ways you can accomplish this:

1) You can use XMLHttpRequest in your background page to download the code, and you can inject it in the web page using chrome.tabs.executeScript.

2) You can do the same thing from a content script because content scripts can also use cross-domain XMLHttpRequest.

3) You can create a content script that creates a element in the page with the “src” attribute pointing to the external script.

Additional Security

To make it as secure as possible, https would be key. You can provide an additional level of security by actually encoding or signing the script. For example:

1) Create a public/private key pair, the public key is included with the extension and the private key is used to encode the script when it is ready.

2) Finish the script code on the server side, then encode it with the private key.

3) On the extension side, download the script “document”, then decode it with the public key. Verify that it’s a valid script file.

This way you will only accept and execute scripts that you know were signed by the owner of the private key.