[bzbarsky]

> What if the malicious web site does something like <script src

That will run with the website's privileges. Just like site A loading a script from site B will run it with site A's privileges.

> the loading fails with an exception saying "chrome-extension://" is not an allowed source.

Chrome extensions (and webextensions) have a way to flag particular files as "web-exposed". Ones that are not can't be loaded via the web.

Firefox has something similar for chrome:// URIs in non-webextensions, but resource:// allows loads from the web in certain contexts, which include <script> elements.

> Can we consider it is safe to use angular 1.x only from local add-on panels to run the user interface ?

I don't know the details of what the security issues reported on angular 1.x are, so I can't claim that it's safe or not safe. But at first blush, as long as angular is only interacting with the addon's own DOM, and the addon DOM never injects any text from a page DOM into itself, it _seems_ like it should be safe.