Once we figure out our Firefox code maintenance approach, and perhaps after resolving #3053, let's switch our CSP-vulnerable main world injection approach to the scripting API. This should also fix some (and perhaps all) injection race conditions.
Related to #2948, #1793.
