In recent years some people have taken the task to try and fix web security. Lets say we fixed all our problems. Let’s say we all use contextual-aware auto-escaping templates, and we all use a secure CSP at a site-wide layer. Let's say everyone was using an up-to-date browser. Let’s say that our databases and backends were enforcing access control for the application. Let’s say there are no more APIs that permit attacks like LFI or SQL injection. Let’s say that we don’t need to worry about Java, Flash, Silverlight, Acrobat, and so on. Let's say mixed content wasn't a problem anymore. Let's say we didn't need CSRF tokens anymore. Let’s say all servers around the world were using DH key exchange and Channel ID. Let’s say the whole world was using two-factor authentication. Let’s say that all our frameworks were developed in a way introducing vulnerabilities is the path or most resistance. What’s next? This talk would be a quick “this old problems are getting fixed!“, immediately followed by “what’s next is even better”.