Comment by arnarbi

Services can certainly make this safer by providing means to get more restricted credentials, so that users can deputize semi-trusted delegates, such as agents vulnerable to injection.

The important point being made in this discussion is that this is already a common thing with OAuth, but mostly unheard of with web sessions and cookies.