The Internet, and the World Wide Web in particular, is becoming an increasingly important resource to people in modern society. Mostly, people are browsing the web for news, shopping, blogging, researching, or simply surfing; the vast majority of Internet use is browsing the Web with one of many browsers. To appease users' demand for robust and novel web applications, programmers are discovering new tricks to add unique or novel behavior to their web sites (through asynchronous data fetching, or animations). Though these features are based on mature languages and standards, new security problems are often uncovered with each new trick. Many of these are socio-technical problems: the result of technological nuances in the use of scripting or other web technologies coupled with the way people interact with the web sites. This sociological spin on technical security problems, introducing an element of deception, makes the security of the web more complex and not easily patched with simple software fixes.

The web was not designed with security in mind, only utility. In its evolution from simple html, it has inflated to have a colossal number of technologies and features supported by browsers that have increased the web's potential for misuse. It is time to re-consider fundamental control of web content, and this dissertation shows how to begin. Most security problems with web applications stem from loose control of data; there are no strictly enforced policies that dictate how information can flow between technologies in the web browser or out from a web application's domain. This dissertation investigates the underlying problems in the way data is transfered in and out of browsers and their components by analyzing a variety of security problems and their corresponding solutions. Through presentation and analysis of some cases, underlying themes are exposed that can eventually be used to address web security on a more fundamental level.