On point 5, "Don't lean referrer value" I would say don't cripple a useful bit of information when you could just NOT pass critical info in the URI. Blocking referrer is kind of a douche move, particularly if you're doing it to cover up for some garbage code that's slopping things into the URI's that DON'T BELONG THERE IN THE FIRST PLACE!!!
If you're putting session tokens and user ID's in the URI, it's like the entire back-end is utter trash that needs to be dragged round back o' the woodshed with a .30-06 and put down like Old Yeller.
On your point 6, it would have been nice if you'd mentioned actual DOM construction techniques as a way to provide "rich" markup without the problems. textContent is good, createTextNode is same, but you combine either with createElement and you're onto something special if you just create a simple "make" routine.
... and FFS NO on the blasted UI framework derpitude. They are -- as my own article outlines -- monuments to ignorance, incompetence, and ineptitude -- that piss on efficiency, usability, and accessibility from so on-high you'd think the almighty just got back from a kegger. React, vue, angular, etc are as big a blight on code efficiency as any other front end "framework", particularly when some scripting junkie can't keep it in their pants and vomit up pages that don't work scripting off. (an instant WCAG violation)
But let me tell you what I really think... That's the watered down version. I just got done spending three hours in a video conference explaining to a client (bank) why they NEED to fire half their IT staff... and their VEHEMENT defense of React -- the very thing that got them into legal trouble in the first place -- is like dealing with cut-rate deluded cultists.
Dependencies? This is the problem with the node.js "ecosystem" and why it's a crappy answer to problems. But then I see the word "ecosystem" and glaze over assuming it's market-speak double-talk worthy of a game of “bullshit bingo.” In a totally proactive paradigm.
The rest of your article though? Right there with you. Not enough people are using CSP, not enough places are using "integrity" to verify off-sight resources (It's why I prefer CDNJS for font-awesome), and most people don't even seem to THINK about XSS. Much less "what if I'm framed" ... honestly, if it weren't for how they make youtube video embeds and advertising so easy, I'd say frameset / iframe support should be dropped from browsers entirely.
Though again, if you stop slopping important information and critical controls that should be secured into URI's... well...
One thing I've been seeing lately that's really troubling? People who enable CSP then disable all the policies. Hurr-durrz.