> The interesting thing [...] is that almost every step of the attack uses a browser feature that was shipped in good faith, for genuine performance or developer-experience reasons. [...] Each new capability that browsers ship in the name of “the web as a platform” widens the surface that researchers, and eventually attackers, can pull on.

I wish I knew how to change the direction of browser-culture, back towards the days where remote sites were expected to provided data instead than code, and the exceptions were rare and involved mindful human decisions of trust.

As opposed to a world where you're constantly hitting "please enable ultra-javascript to continue" and people are always creating sandboxes and VMs to wrap around the matryoshka-doll layers of older "do unsafe things safely" measures.