[vbs_redlof]

What I'd really like to see is some kind of iframe that pins JS/wasm code within it to a particular bundle hash and prevents modification at runtime (even from chrome extensions).

Something more like a TEE inside the browser of sorts. Not sure if there is anything like this.

[kinlan]

Author of the linked post here. This is actually a pretty interesting idea, I'll pass it to the team.

[spankalee]

Enabling the `integrity ` attribute on iframes would help: https://github.com/w3c/webappsec-subresource-integrity/issue...

But then you'd also want the frame content to use `integrity` on nested resoures.

CSP frame-src can help for now.