[nailer]

Weirdly enough I was talking a couple of days ago about requiring things like CSP (which would go very far in defeating XSS) for stuff like webcrypto and other sensitive bits of HTML5.

Someone working for one of the major browsers mentioned they'd considered it but decided against it - not sure on the reasons why but if they're reading this they might like to elucidate...

[asjfkdlf]

That would be a good first step. It would have to be a subset of CSP. Don't allow inline scripts or eval.. Only on https is another step I see as very important.

[nsgi]

One reason might be that developers would probably just do the minimum possible CSP rather than following the spirit of it. Unlike with HTTPS, a CSP could be created with the exact same security model as no CSP using directives like unsafe-eval.