[cxr]

None of the security mitigations described in the post (nor any of those implemented in any browser engine) are aimed at protecting developers against themselves when they run an agglomeration of third-party modules as a single bundle under the same policy.

[jraph]

CSPs and mechanisms against cross site scripting are such protections. They would block a script from calling home or executing arbitrary scripts or displaying images that could exploit vulnerabilities.

So browser engines definitely protect developers against themselves a bit.

Although I agree with you that there's only so much you can do for the devs bundling crap themselves, I was wrong on this indeed.

Still, I would not be overly confident with web code running in a browser where security is not well studied if it has any network capacity. Especially if the app displays any external content in something like an iframe.