Yes, I'm quite sure we all know how it works. Let me try & summarise:
- The server can pass through a static html file (which may contain any number of client-side scripts). The only thing it "injects" are http headers. I wouldn't call this injection.
- The server can partly or completely generate the page using Node, PHP, ASP, Perl, SSI, etc. It can send & receive & "inject" anything from any other server, but it will ultimately arrive as static html (with or without client-side scripts). I wouldn't call this injection, unless some remotely received data is not what the web developer thought it would be, which is probably bad, but which the developer should have anticipated. Always clean your input from any source.
- The server may post-process the generated page and inject stuff. For example, banners for "Made on Shitty Service, Inc." on an otherwise free homepage service. This is unfortunate because it modifies the page as the web developer intended it for you, and you may get ads and trackers which can hopefully be blocked by a client-side ad blocker. I would call this injection, but it's probably not too bad unless the server is malicious or it has been taken over by someone malicious.
can modify the stream and inject stuff. This is the ugliest sort of injection.
- The static html can contain client-side scripts (javascript) or links to external sources (like iframes or even seemingly static images) which, if allowed by the client, can run and modify and load anything from any server. There are *some* restrictions in modern browsers but this can get very ugly. On the other hand, this is how "web apps" operate nowadays: transfer a skeleton html file plus a set of scripts, load the important stuff afterwards (like your email, if it's an email web viewer). So it's probably injection but if it's legit and as intended, then :shrug: