Simple: Seperate documents, interactivity, and programs.
If I browse the web, I usually want documents.
Sometimes I also want interactivity, like in comment forms, which could be a seperated widget which could only interact in limited ways, and only with the page and the server it connects to.
And then there would be programs, which could access even local files – but would have an installation process like browser extensions.
Giving documents access that normally just programs do is stupid, as we have seen in Word Macro-based malware, PDF-based malware, Browser-based malware (the pdf.js exploit, for example), and so on.
If I browse the web, I usually want documents.
Sometimes I also want interactivity, like in comment forms, which could be a seperated widget which could only interact in limited ways, and only with the page and the server it connects to.
And then there would be programs, which could access even local files – but would have an installation process like browser extensions.
Giving documents access that normally just programs do is stupid, as we have seen in Word Macro-based malware, PDF-based malware, Browser-based malware (the pdf.js exploit, for example), and so on.