Copy of a Comment Elsewhere:

I don't have anything to hide- but a malicious attacker could easily cause me to.

Step One: Maliciously cause the target to click on a link or open a url (Phishing, Exploit, RFE, XSS etc)

Step Two: With JS, one can easy introduce HTTP connections to any number of websites, such as maybe the Talibans official website (They have one!), Google Searches for (to think of a few) "Gaziantep Places to Stay", "Turkey Flights", "Opposition to the Kuffar at home", "Dabiq Magazine", "how to join the Khalifah" etc

This could easily be done in a realisic appearing manner, especially to ISP/GCHQ filters and alerts.

Step Three: If any of this tallies with any physical activity (Let's say the target wanted to go Clay Pigeon Shooting, or Visited a Gun Club because he has in interest in .22 target shooting), then they have a case.

Sure, it's defendable, and this is a really simplistic example. But it's basically ruined the target's life.

Remember, it's probably not the "Government" doing this, as this info will be leaked.

Someone should hack the UK BBC site, Dailymail, etc; and place a few iframes similar to this on them. It would most probably solve this whole case.