Hey Alex,

after digging my head into Angular and SPAs for three years, 2017 brought me back to working on a traditionally architected news site. That's pretty refreshing!

One of my goals for the site is to make it load fast, display fast and be interactive very quickly. That works pretty well: Critical resources are inlined, others and fonts are preloaded but async, and JS is only 60 KB uncompressed.

Sadly all of these measures are rendered alomost useless once advertisement comes in. Advertisers have gone completely amok these days. Performance on the main thread takes a plunge due to:

• Still mostly setTimeout/setInterval driven animations
• Stickiness via scroll event triggered positioning
• Viewport visibility checks via scroll event and .getClientRects()
• Almost no lazy loading of ads or resources
• No awareness for current tab's visibility
• TONS of JavaScript, e.g. I recently saw an ad load 1 MB of JavaScript alone for itself (and using React in development mode)
• The constant load of the main thread is often worse than a reasonably configured Coinhive miner work create.

And that's just the "visible" tip of the iceberg. Ads are huge problem for privacy and security:

• You cannot use CSP
• If you use HTTPS you get punished by getting less money or no booking, because user profiling through referrer is not available
• Login data including password gets stolen via form autofill and are used to track people. Also violates the sites own terms that the user accepted and trusts.
• Navigation gets hijacked and people get sent off to a site with a raffle and have no way of coming back ever again.
• Every move of our users gets tracked by half of the 3rd party scripts

The sad thing is: If you allow ads on your site, you open up Pandora's box. You never know what you get. You give off control.

Finally coming to my question (sorry for the long intro):

Apart of the Chrome team's engagement in the Coalition for Better Ads that focuses mostly on UX, do you put any thoughts in measures and standards that help limiting and controling 3rd party? I'd love to see a sandbox attribute for scripts, I'd love to have an API to distribute computing time per origin, I'd love to see iframes using a separate thread, and I'd love if browsers would proactively block a few of the things above so that we as 3rd party "partners" could point to the browser as the bad guy disallowing certain things.