"We can embed snippets of JavaScript within the debugging data to locate a binding's value." - I see this as a security risk, but then again so much code is executed by the browser so it probably is okay.
It would be executing in the same tab as the javascript that the user is debugging, so it's no different than the javascript on the page in the first place.
