Adding more security headers every year feels like strapping seatbelts onto a collapsing roller coaster. It would be better to stop this "sec headers stack" in favour of simpler, secure by default browser primitives with explicit opt-out. Getting an example from https://securityheaders.com the list nowadays is as follows:
Yeah, redoing the defaults would probably be good.
On the other hand, I tried doing a Google search with javascript disabled today, and I learned that Google doesn't even allow this. (I also thought "maybe that's just something they try to pawn off on mobile browsers", but no, it's not allowed on desktop either.)
So the state of things for "how should web browsers work?" seems to be getting worse, not better.
I used elinks once to find a solution to an issue where the login screen was broken after an upgrade. I was able to switch to a virtual console, find out about the issue, identify the commands to fix the issue, and use them to resolve the issue.
I think it still works if you set your user agent to something like lynx. I had a custom UA set for Google search in Firefox just for this purpose and to disable AI overviews.
I just tried with the "links" browser and I get a "Update your browser. Your browser isn't supported anymore. To continue your search, upgrade to a recent version"
The reference of robots.txt offer a good way to define specific behavior for the whole domain, as example. Something like that for security could be enough for large amount of websites.
Also, a new header like “sec-policy: foo-url” may be a clean way to move away that definitions from the app+web+proxy+cdn mesh to a fixed clear point.
I reply myself because I've found that idea already porposed:
"Origin policy was a proposal for a web platform mechanism that allows origins to set their origin-wide configuration in a central location, instead of using per-response HTTP headers." - https://github.com/WICG/origin-policy
But their status is "[On hold for now]" since, at least, three years ago.
This is an extremely common approach across industries. Look into diesel engine emission control systems sometime if you aren't familiar. The last few decades has been bolting one new system on every dew years because the ones already added continue to cause unintended reliability problems.
CDNs manage user TLS certificates and that is one of the advantages of using them.
A node server could negociate https close to the user, do caching stuff and create an other https connection to your local server (or reuse an existing one).
[0]: https://github.com/martanne/vis
reply