|
|
|
|
|
|
by AgentME
3530 days ago
|
|
|
Eval has legitimate uses, and there's plenty of ways that extensions can be insecure or malicious without using eval. Firefox's Addons Marketplace reviews extensions and rejects ones that are malicious or insecure. The issue is not that Angular uses an inherent insecure feature. The issue is that Angular does insecure things: it lets a webpage run any code with the extension's privileges. If the extension has privileges to your email domain, then the webpage can abuse the extension's privileges to harvest your email. An extension that let your email be harvested would get rejected regardless of whether it used eval or not. (For example, a malicious extension could be made which doesn't use eval and is just a couple hard-coded lines to make privileged AJAX connections to gmail.com. There's no technical features that the extension is using that shouldn't be available.) |
|
|