|
|
|
|
|
|
by dancek
3530 days ago
|
|
|
Thanks for the reply. I mistook the sandbox to be related to $sce. It's been a while since I last coded Angular. So you're saying that Mozilla is mistaken in their decision, and the only way for page content to be eval'd with extension privileges is if the developer was careless with ng-bind-html or $compile? |
|
|
Yes, Angular itself is fine, and there's no problem with escaping or eval'ing per se.
However there is a corner condition in which Angular being present in an extension might weaken some security measures. It requires multiple issues to happen together, including the victim page being vulnerable in the first place. I'm actually not sure if that is the issue that Mozilla was thinking about, but it is a problem. We will put some defense in depth into Angular to mitigate this, but I believe it's a general issue with how extensions are handled, not limited to Angular.
Sorry for being a bit vague, but no patch has been released yet.