Hacker News new | past | comments | ask | show | jobs | submit login

It's a bit more complicated.

Yes, Angular itself is fine, and there's no problem with escaping or eval'ing per se.

However there is a corner condition in which Angular being present in an extension might weaken some security measures. It requires multiple issues to happen together, including the victim page being vulnerable in the first place. I'm actually not sure if that is the issue that Mozilla was thinking about, but it is a problem. We will put some defense in depth into Angular to mitigate this, but I believe it's a general issue with how extensions are handled, not limited to Angular.

Sorry for being a bit vague, but no patch has been released yet.




thx for the update




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: