A conundrum indeed. If you patch security holes as you find them, how will you ever know if you’ve plugged all the holes?
Well that’s easy, my friend. Just get rid of what’s causing the holes.
If you read that chapter, some of the early documented security holes are pretty wild, like this one:
[people used] the file:/// URL to discover the contents of the root directory of the client's system, and could recursively proceed to determine the client's entire directory structure
Of course, if you use node, this particular exploit is still feasible by merely running
npm i and having a malicious package somewhere deep in your dependencies — but I digress.
This hobble birthed the idea of cross-origin restrictions and eventually made it into
XmlHTTPRequest and later everything CORS.
It’s all a fascinating history. Go listen to the talk if this sounds like your cup of tea.