[pheres]

"The linked posts dismiss this early because of the possibility to cause DDOS, but really, you can already do that from a hacked desktop "Quake", so there is no harm in being able to do it from a browser-based "Quake"."

No same-origin-policy would be lovely combined with XSS vulnerabilities.

Suddenly all the visitors of that website would be doing DDOS on a random host.

[captainmuon]

Well, I would not make that feature available from an included script from a third party domain, so XSS would not be an issue. I would make something like privileged application bundles that you had to authorize first - just like you have to install native apps. I know some people just click OK on everything, but there is no remedy to that other than giving up and not allowing general-purpose networking at all.

Also, people already exploit XSS for DDOS-ing, although not via UDP, but TCP/HTTP. Granted, you can possibly make a worse attack if you have UDP.