|
|
|
|
|
|
by rginda
5165 days ago
|
|
|
The app opts-in to a strict Content Security Policy <http://www.w3.org/TR/CSP/>, which disallows 'eval' entirely. It also severely restricts where and how JS can be loaded with the script tag, setTimeout/setInterval, and event attrbites. It's essentially intended to make sure that only the JS that shipped with the extension can be executed. There may be undiscovered exploits, of course, but CSP severely reduces the chances. |
|
|