|
|
|
|
|
|
by adrin2
3531 days ago
|
|
|
Uhm, wait what? Firefox extensions can execute literal code from visited a website?
To me that sounds like the root cause of the problem and a glaring security hole - either the website has to be sanitized/projected into a harmless dom abstraction or extensions shouldn't be able to use any kind of dynamic evals. Sure angular may be vulnerable by default but good luck thinking that all other extensions out there are safe and not using evals at any point. |
|
|
Should Firefox contain code to recognize text that looks like Angular templates and then break it somehow? That'd be extremely specific.
Eval isn't an inherently unsafe feature, and it doesn't have a monopoly on insecurity: Angular doesn't even require eval. It can run without eval in a CSP-supporting mode that's equally vulnerable.