Comment by ikekkdcjkfke
2 days ago
And the reason we can’t put execution of non-declared code behind a permission is because one anal developer at chrome thinks that we shouldn’t break existing sites even though no serious site would do this and you could just show a permission popup with triangle exclamation mark
That's what's great about this - it is an interpreter which allows the attacker to do absolutely anything, but no non-declared code is directly run.
Users have largely been trained to click okay when asked to give permission without thinking.