That's the point I'm questioning - I think browsers should block by default and only allow things that are specifically allowed by the CSP (or by CORS).
For better or worse technologists have largely decided that backwards compatibility trumps all unless absolutely necessary. This means ELS for security patches, only non-breaking changes to the web (which is how we ended up with 'use strict' in Javascript), and even if it is "more secure" if it could break some portion of people's websites it must not be done by default, but must be opted into.
I don't personally agree with the decisions - but I can understand why they are made. It's easier to say I'd personally choose to give devs the finger and tell them to fix their code than to actually give devs the finger and tell them to fix/update their code.
