Browser asks the user for permission to do stuff, the really sensitive stuff is pushed back to happening on click events, the even more sensitive stuff runs through code validation. What extra security is needed than what we already have with the above?