i did not refer to plain security measures. all security measures you listed can be and, in fact, are well hidden under the hood, so the end user does not have to worry about them.
i was more about the insane consequences of today's web's abilities: it wants to do anything and everything with user's computer, it's basically an independent OS.
there is no Line Of Death anymore, no clear boundary what user can trust as he trust the OS vendor and locally installed and audited software vendors, and on the other side, trust as an unknown 3rd party on the web.
see "paypal.com" vs "paypaI.com", unicode look-alike chars, public suffix list, etc type of tricks; domain names were invented to be consumable by end users, but as they are sold and used, it's not the case anymore. so users nowadays should not be pressured to watch domain names with bleeding eyes. see "url bar padlock" issue; several survey demonstrated that users do not understand and do not care how the padlock feels.
users can not confidently Ctrl-C anything on any website anymore. using "clever" JS APIs web devs mine bitcoin by visitor's CPU, DDoS other online resource by visitor, store CSAM on visitor's computer, trigger epilepsy in visitors.
then in top of all these, engineers want to solve complexity problems by putting more complexity in it (like solving civilaztional problem with more technology). some suggest to build in an AI which watches if something appears on the screen which looks like a window but is not?! come on! why not just don't let untrusted code do anything on your screen and computer?
I understand client-side scriptng is made very powerful and enables many wonders for the entertaining of the masses.
It may be a maintainable path to provide a general-purpose language to the "App Web", where users can run programms with on-click installation (ie. loading a web app on a web site in the web browser). in this case browser vendors and users should prepare for the possible abuses what the general purpose in-browser computing environment enables.
but on the other hand, many users with reasonable usecases expect there should be a "Docu Web" just as the WWW was born to be (with neccessary improvements and modernizations of course - i don't advocate for "Mosaic 1.0 experience") with no accidental transition to the "App Web". this other web, the "Docu Web", should be free of any complexity which may lead to become "App Web" again: i imagine a library/bookstore/newspaper store/journal/shared notes/etc network but online.
so that you don't need to worry that: a jumpscare pops out of a book when turn to page 123; or other library visitors inserts pages in the book you read; or the last week newspaper shows you different articles than to your neighbour; or someone read your mails because you watched his audiovisual report before; or the librarian pushes certain authors and suppresses others based on bribe.
sorry for the seemingly absourd analogies, but there were (and are) times when these were possible on the "All-in Web" due to inconsiderate government and adaptation of standards.
i was more about the insane consequences of today's web's abilities: it wants to do anything and everything with user's computer, it's basically an independent OS. there is no Line Of Death anymore, no clear boundary what user can trust as he trust the OS vendor and locally installed and audited software vendors, and on the other side, trust as an unknown 3rd party on the web.
see "paypal.com" vs "paypaI.com", unicode look-alike chars, public suffix list, etc type of tricks; domain names were invented to be consumable by end users, but as they are sold and used, it's not the case anymore. so users nowadays should not be pressured to watch domain names with bleeding eyes. see "url bar padlock" issue; several survey demonstrated that users do not understand and do not care how the padlock feels.
users can not confidently Ctrl-C anything on any website anymore. using "clever" JS APIs web devs mine bitcoin by visitor's CPU, DDoS other online resource by visitor, store CSAM on visitor's computer, trigger epilepsy in visitors.
then in top of all these, engineers want to solve complexity problems by putting more complexity in it (like solving civilaztional problem with more technology). some suggest to build in an AI which watches if something appears on the screen which looks like a window but is not?! come on! why not just don't let untrusted code do anything on your screen and computer?
I understand client-side scriptng is made very powerful and enables many wonders for the entertaining of the masses. It may be a maintainable path to provide a general-purpose language to the "App Web", where users can run programms with on-click installation (ie. loading a web app on a web site in the web browser). in this case browser vendors and users should prepare for the possible abuses what the general purpose in-browser computing environment enables.
but on the other hand, many users with reasonable usecases expect there should be a "Docu Web" just as the WWW was born to be (with neccessary improvements and modernizations of course - i don't advocate for "Mosaic 1.0 experience") with no accidental transition to the "App Web". this other web, the "Docu Web", should be free of any complexity which may lead to become "App Web" again: i imagine a library/bookstore/newspaper store/journal/shared notes/etc network but online.
so that you don't need to worry that: a jumpscare pops out of a book when turn to page 123; or other library visitors inserts pages in the book you read; or the last week newspaper shows you different articles than to your neighbour; or someone read your mails because you watched his audiovisual report before; or the librarian pushes certain authors and suppresses others based on bribe. sorry for the seemingly absourd analogies, but there were (and are) times when these were possible on the "All-in Web" due to inconsiderate government and adaptation of standards.