No, I don't have any good ideas. Just hoping someone else does, or that I'm missing something.

I think it's in the hands of browser vendors.

The agent review a la socket.dev probably doesn't address all the gaps. I think you're already doing about as much as you reasonably can.

Thanks. The question has made me wonder about the value of some sort of real time verification service.

	▲	Nevermark an hour ago \| parent [-]
		If it's possible to isolate that part of the code, and essentially freeze it for long periods. At least people would know it wasn't being tweaked under them all the time. That is my half of a bad idea.