The Konqueror browser uses the KHTML HTML rendering engine and KJS script interpreter which are KDE-wide components. As such, they need to be resistant to a wide variety of attacks as they are often used inside other applications, not just Konqueror. Besides basic settings for enabling and disabling scripting, plugins, external references, etc inside KHTML, much work was focused on details of the window object.

In early days it was possible to do rather evil things with the engine and those things propagated up to the container application. For example, the window object could make the window infinitesimally small, move it off-screen, or make it larger than the screen (think picture-in-picture attacks). Therefore we have an increasingly strict set of rules in the window object.

In recent years we have started to make certain UI elements permanent (statusbar), made security indicators more prominent (too prominent? - too many padlocks!), and added more guards to the scripting engine. For example, there is a CPU guard that will prevent run-away scripts from making a system unstable or overly slow.

KHTML was also the first browser engine [to my knowledge] to implement a smart popup blocker which could distinguish between popups that the user actually wanted vs that the site wanted. This has security implications as some sites were known for popping up endless windows and even trying to obtain clicks in undesired manners at the time.

KDE has tried to implement more strict policies than other browsers have in the past but most of those are met with an endless stream of bug reports about KHTML not functioning properly and therefore the restrictions need to be relaxed. This is the unfortunate result of the current market division and lack of complete and proper standards in the web browser space. Even better communication among browser developers could easily help solve many such problems.