Hmm, well firefox could vet them so that they're not 3rd party and the user could permit to inject 'add ons' into every web page loaded. You are allowed to upload html/javascript dynamically (just not shared objects, jvm byte code, etc)

That depends on whether the code is executed using Apple's JavaScriptCore framework, or your own interpreter.

It's a stupid rule, but you can execute arbitrary code if you create a JSContext and load it in your app.

that's such a silly restriction here. Nearly every webpage a user goes to breaks that rule.