UserAgent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0

Steps to reproduce the problem:
Extensively described at:
1. https://bugzilla.mozilla.org/show_bug.cgi?id=1487081
2. https://lobste.rs/s/vwcetz/undetectable_remote_arbitrary_code
3. https://medium.com/@giacomo_59737/the-web-is-still-a-darpa-weapon-31e3c3b032b8#5eab

these attacks leave NO evidences into the user's machine

What is the expected behavior?
The browser should not blindly execute programs that could be customized to attack the user or a third party through the user machines.

The execution of any program should be opt-in instead of opt-out.

JavaScript pages should be marked as "Not Secure" just like HTTP ones.

What went wrong?
An malicious server or CDN could gain control of several victims' resources like

- their IP
- their bandwith
- their computing power
- their RAM
- their disk (through browser cache)
- potentially others resources (gained through access to system vulnerabilities, think about Spectre/Meltdown)

This sort of attacks will be made even worse through the distribution of optimized WebAssembly (that will be way more obscure than obfuscated JavaScript)

Did this work before? No 

Chrome version: <Copy from: 'about:version'>  Channel: n/a
OS Version: 
Flash Version: