We should implement site isolation, where each site (scheme + domain + port) gets its own WebContent process, and code from each origin only runs in that process.
When one site embeds an iframe from another site, we'll have two WebContent processes who will have to coordinate communication, layout, rendering, input, etc.
Here's how they've done it in Chromium:
https://www.chromium.org/Home/chromium-security/site-isolation/
Pay now to fund the work behind this issue.
Get updates on progress being made.
Maintainer is rewarded once the issue is completed.
You're funding impactful open source efforts
You want to contribute to this effort
You want to get funding like this too