Instead, let's solve zero day advertising payloads.
Let's fund a cure for email spam and phishing.
Let's find a cure for site spoofing.
Let's find a cure for "this dialog means I have to click OK to get on with things."
Regarding "domains are controlled," that doesn't matter. If I want to serve pages from www.mydomain and static/CDN content from static.mydomain and services from api.mydomain, those are different domains.
The main solution for a big site is to build all the credential and security logic into the load balancer/HTTPS terminator, which is an almost-guarantee to get version skew and security holes.
All this "secure web" intention only works for small monolithic sites, and don't even solve the real security problems on the web.
This doesn't do that.
Instead, let's solve zero day advertising payloads.
Let's fund a cure for email spam and phishing.
Let's find a cure for site spoofing.
Let's find a cure for "this dialog means I have to click OK to get on with things."
Regarding "domains are controlled," that doesn't matter. If I want to serve pages from www.mydomain and static/CDN content from static.mydomain and services from api.mydomain, those are different domains.
The main solution for a big site is to build all the credential and security logic into the load balancer/HTTPS terminator, which is an almost-guarantee to get version skew and security holes.
All this "secure web" intention only works for small monolithic sites, and don't even solve the real security problems on the web.