Array and object globals cannot be overridden now (since 2007) for literals  and for ambient authority problem with CORS just check the Origin header.
... except that those browsers are still out there, so it depends heavily on how much damage someone can do by abusing the data your server can emit whether you need to do the same.
The reason Google and Facebook keep this kind of stuff around is because it's there and doesn't hurt to keep it. There's a slight chance it will provide some protection if a similar attack vector is discovered.
Yes, I'm being somewhat hyperbolic. Bring on the downvotes! ;-)
This is not a bad thing, for the simple reason that every long-lived complex system involving many humans must behave this way.
Any attempt to top-down design the perfect, universal, distributed application runtime hits fundamental social problems not unlike those in a centrally planned economy: too much information to integrate, too many stubbornly uncooperative humans with their own divergent goals and opinions.
Systems at this scale are much more like biology than like circuit design.
The idea that systems are fixed entities that have to be designed correctly up-front is wrong and is one of the reasons why the Waterfall model of software development has been superseded by Agile.
Good systems have to be designed to handle change. Change is the only constant thing in this world.
Security takes a back seat to reproductive fitness of the web as a platform. JS made the web insecure, but it also made it the world's premier application platform.
I blogged about this: http://kylebebak.github.io/post/browser-security-worse-is-be...
All sufficiently complex ecosystems are a giant, flawed mess.
It's not very hard to imagine, especially in an enteprise environment, running a browser 15-20 years from now and that browser loading the equivalent of the JVM, .NET CLR, Ruby VM, etc., on top of WASM :)
AFAIK it never went anywhere, but maybe building an entirely new OS/Browser based around WebIDL seemed less insane 10 years ago.
First of all browsers are committed to backwards compatibility.