These features are useful to someone but having them available to any script on a page is obviously increasing the attack area available.
There should be some way to turn on APIs that can't be done in code. For instance, add tags within the head of a HTML document that first switch off all APIs (we always have to think of backwards compatibility) and then list the APIs required by the page.
Biting the hand that feeds IT
