Yet another reason why each website needs to explicitly ask permission to run client javascript, or else be charged with unauthorized access.
It has always been naive to let the host rather than the visitor navigate the visitor’s session, but even now people will argue that “all the kewl kids are doing it”. Sure, better practices would break the web - but only if you are resigned to running a shitty web.
