[simonw]

I've actually found it pretty hard in a browser as well - if you want to run untrusted code without it breaking your app or stealing cookies etc.

I've been doing a bunch of work recently with iframe sandbox combined with CSP which appears to be a robust way to do this.

[andrewaylett]

Fair -- but I was more meaning that when I browse an arbitrary untrusted website I almost always allow the site owner to run arbitrary untrusted code on my machine. They might not send me any JS, but if they do then my browser will happily execute it.