At the client side the browser has become the infrastructure for handling web
pages. Today, this infrastructure provides the following security services:
– The browser controls how cookies are included in requests; the widely adopted
same origin policy states that a cookie may only be included in requests to
the domain that had set the cookie.
– The browser controls to which extent a script in a web page may access
local memory; in the initial Java sandbox policy a script had no access to
local memory; in the Java 2 security model more fine grained access control
became possible [8].
– The browser controls where a script in a web page may connect to; again,
the same origin policy is usually applied to regulate this aspect.
In all three cases the browser performs access control with respect to an origin
based security policy. To enforce such a policy, the browser must authenticate
the origin of a web page. Current browsers do this in a rudimentary way. They
translate between the IP address of the server the page has been received from
(more on this in section 4) and the domain name of this server, but there is no
fine grained authentication of the individual parts of a web page.
