Firefox's Sandbox

Firefox has several layers in which Javascript functions can be run:

Firefox extensions that want to use a sandbox to run user scripts will create a sandbox area, add a document to the sandbox, load Javascript from local files (or generate it), then use evalInSandbox to run that code on the document in the sandbox.

diagram of interaction between chrome, evalInSandbox and documents

The code run using evalInSandbox will be able to call chrome functions, so must be protected from Javascript running in the original web page: for this reason many functions in the sandbox are unavailable (for example, it's not possible to use watch() to see when an object changes). There are also security hazards to bear in mind when using the sandbox - for example you shouldn't trust the properties of any object in the sandbox to remain unaltered.

A lot of the practical effects of using XPCNativeWrappers are explained in Mark Pilgrim's Avoid Common Pitfalls in Greasemonkey, written a couple of years ago when Greasemonkey was altered to make use of XPCNativeWrapper in order to avoid security holes.

Opera, Safari and IE all have either built-in or third-party support for user scripts, but no details on whether there's any kind of secure sandbox in which they're executed.