@mkind @FamilyCyclist @sdueckert @mathew @catsalad @mozilla @torproject @eff Well, it's the idea of the web since Javascript -- at least depending on your definition of "executing code". But I'd argue viewing an HTML file is not executing remote code but local code that's interpreting a declarative(!) file, just like viewing a PNG; I wouldn't call either executing remote code.

That being said, running code from a website is still less of a problem than an extension, since the website's code (barring exploits) can only exfiltrate data I give/enter the website the data anyway. The extension can, in theory, exfiltrate data from any website.