or just separete what are "document" and what are "application", already, and donĀ“t mix them up. i would not even mind if there was a separate "docjs" - JS code for which only the document is visible and only can do stuff upon it, and the "appjs" which can do all of the wild js stuff which our great browser vendors come up with. this way, in various cases, you can turn off the potentially harmful appjs, while keep the docjs for validating forms, change layout, implementing tinymce, etc...
IMO the problem rooted in co-mingling documents and applications on a web page / in a HTML file. let the user save documents in .html: then it should not be able to do any harm - it's a digital sheet of paper! and web applications in, say, .hta: then he should not expect any more isolatedness then for a downloaded .exe or .sh file; and the user client program should treat it with due care when downloading, eg. by put it in a separate subfolder, set SELinux context, etc...
IMO the problem rooted in co-mingling documents and applications on a web page / in a HTML file. let the user save documents in .html: then it should not be able to do any harm - it's a digital sheet of paper! and web applications in, say, .hta: then he should not expect any more isolatedness then for a downloaded .exe or .sh file; and the user client program should treat it with due care when downloading, eg. by put it in a separate subfolder, set SELinux context, etc...