Interoperability is everywhere in browsers Java <-> VBScript, VBscript <-> .NET, .NET <-> Javascript, Javascript <-> DOM etc. This interoperability presents a large attack surface, which is up to now where not well explored.
There is a lot of code involved converting types between various languages.
The background: In the past, basic constraints where not properly checked, so any client certificate could be used to create another client certificate that would actually validate.
Moxie wrote the tool SSLSNIF is that is able to do a man in the middle attack on an SSL connection based on this vulnerability to proof to Microsoft that it could be exploited, contrary to what Microsoft said.
Even tough Microsoft and others fixed the vulnerability, the tool is still useful, mainly because people don’t pay attention to certificate warning. Also when the guys that made the fake CA certificate by means of the the MD5 collision use SSLSNIFF to actually exploit is.
But there are more ways to attack SSL then doing a man-in-the-middle attack; SSL Stripping
In this post from 19-6 Mozilla make a clear case for supporting content security policies.
A content security policy, which is specified here, can impose common sense security restrictions on the (active) content of site.
A content security policy can completely kill Cross Site Scripting if it is set to: