Uhm, wait what? Firefox extensions can execute literal code from visited a website?
To me that sounds like the root cause of the problem and a glaring security hole - either the website has to be sanitized/projected into a harmless dom abstraction or extensions shouldn't be able to use any kind of dynamic evals.
Sure angular may be vulnerable by default but good luck thinking that all other extensions out there are safe and not using evals at any point.
Sure angular may be vulnerable by default but good luck thinking that all other extensions out there are safe and not using evals at any point.