[bugmen0t]

Two notes:

2) There is interest and progress on securing web applications: - For early research papers look into 'Privilege Separation in HTML5 Applications' by Devdatta Akhawe et al. <https://www.usenix.org/system/files/conference/usenixsecurit.... - For more practical concerns, see the stuff coming out of the W3C WebAppSec Working Group (CSP, Suborigins, etc.). - For Sandboxing/Compartmentalization of code, see the Realms proposal coming in to a future version of ECMAScript (JavaScript): <https://github.com/caridy/proposal-realms>

2) Firefox new-style extensions (WebExtensions) are in fact least-privilege.