[ikekkdcjkfke]

And the reason we can’t put execution of non-declared code behind a permission is because one anal developer at chrome thinks that we shouldn’t break existing sites even though no serious site would do this and you could just show a permission popup with triangle exclamation mark

[londons_explore]

That's what's great about this - it is an interpreter which allows the attacker to do absolutely anything, but no non-declared code is directly run.

[johnebgd]

Users have largely been trained to click okay when asked to give permission without thinking.