Google Chrome's manifest version 2 imposed some new security limitations, among them:
Seems rather harmless, you probably don't use eval anyway, right?
Wrong. If you use JS templates like most of the cool kids do, it's likely your templating-framework of choice might uses eval or perhaps new Function somewhere. That means the only way you could keep using it in a manifest 2 extension is via ugly sandboxing.
If you already have tons of templates and you don't wanna switch, that's cool. Go create a temaplting-sandbox and share on github so we could all enjoy.
But if you don't have too many existing templates, or are just starting development and trying to pick a templating solution which will work, My recommendation is Mustache. More specifically, this fork of mustache, which @addyosmani changed to comply with CSP.
Mustache is logic-less templating, which makes sense for the CSP use case — If you don't have embedded logic, you never have to generate functions from strings.
I faced this challenge with an established app which has only one little underscore.js template. Converting it to Mustache, including learning Mustache, took ~5 minutes, and IMHO it's now more neat. Go check Mustache out.