steal your cookies.
Not if it's in iframes \o/ which everybody hates but is still the 'webview' of the web.
Didn't know about that. So with iframes you can safely embed foreign code ?
Yup, see the MDN page about it — HTML5 added more nice things like the sandbox attribute.
