你可以还可以使用 iframe 并使用script / css URL作为框架的 src （因此它根本不被评估/应用），尽管在这种情况下你想要确保JavaScript / CSS与Content-Type text / plain 一起提供，以避免在< 字符等情况下发生不幸事件。虽然你应该在这个方法上遇到SOP问题，但是在一个不错的浏览器上，如果 iframe src 来自另一个来源。

You can also use an iframe and use the script/css URL as the src of the frame (so it isn't evaluated/applied at all), although you'd want to be sure in that case that the JavaScript/CSS was delivered with Content-Type text/plain to avoid unfortunate things happening with < characters and such. Although you should run into SOP issues with this approach as well, on a decent browser, if the iframe src is from a different origin.

除此之外，我认为你在很大程度上已经列出了你所列出的选项。

Other than that, I think you largely have it covered with the options you list.