Of all things that can be complained about, JS sandboxing is actually really hardened. I think the issue is the cross site wild west we have today. Cookies, requests etc go all over the place, when it should be isolated to same origin unless specific interactions are needed (and then they should probably be user facing and blockable).
I think the real answer to why this hasn't been toothfully patched yet is ads and the billions of dollars behind it. Not JS developers.
I was talking on a podcast yesterday about a wiki project I’ve been involved in and one of the things that was eye opening for the audience was just how insane those requests can be. We literally pulled up a page that showed a single wiki page making >500 ad server requests.
CDNs were a huge mistake, they are the slow point of many websites and people don't even second guess importing fonts, images and libraries from half a dozen different providers. The pros are grossly overstated and the cons are many.
> Of all things that can be complained about, JS sandboxing is actually really hardened.
It's still very useful for people who want to run arbitrary code on your CPU. Both AMD and Intel have severe flaws, called "speculative execution CPU bugs", that can be exploited to extract credentials, encryption keys, session keys etc. from your computer - even information living in other applications or [hardware layer] VM's.
I think the real answer to why this hasn't been toothfully patched yet is ads and the billions of dollars behind it. Not JS developers.