[dsacco]

This is a cross-site scripting vulnerability, yes, but client-side crypto does not necessitate cross-site scripting.

This implementation just so happens to not protect against it properly. There are legitimate arguments against client-side cryptography; this is not one of them.

[jacksingleton]

The argument is that implementing crypto within an application that is designed to download and execute untrusted code from untrusted servers and has an extremely large attack service [1] is a difficult if not dangerous task.

[1] your browser

[kragen]

While that may be true, that’s a different class of vulnerabilities that doesn’t include XSS.