A survey of top websites has revealed many including unnamed Bitcoin holding websites have a header set which explicitly allows third party javascript to be run on their pages without any checks on the code's origin (archived). Web stack security is exactly as bad as you thought it was. Unless you didn't think it was this bad, in which case it is far worse than you think. Of course, Coinbase would never be the same if they removed their Gravatar integration.