"...and letting me consume videos and stuff in a trusted media player plugin."
HTML5 generally solves this with <audio> and <video>. If implemented correctly by browsers, they should not require any scripting on the site itself to work.
That said, "trusted" media player plugins (think Flash) have been the targets of many successful attacks as well.
I'm thinking a dumb unscriptable video playback frame that draws its own controls and isn't remote-controlled by javascript.
I've seen plenty of sites that see that see I don't have javascript enabled (or unblocked) and conclude that welp, that guy probably doesn't have speakers, let's display a unhelpful message instead of embedding media content.
Of course there'll still be some attack surface just like people have been managing to exploit image decoding libraries over the years, but at least it wouldn't be engineered against usability by default.
HTML5 generally solves this with <audio> and <video>. If implemented correctly by browsers, they should not require any scripting on the site itself to work.
That said, "trusted" media player plugins (think Flash) have been the targets of many successful attacks as well.