A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier (URI) and may be a web page, image, video, or other piece of content. Hyperlinks present in resources enable users to easily navigate their browsers to related resources.
Original web browsers were static in nature, designed to only render hyperlinked documents in a straightforward manner. Later, scripting protocols such as JavaScript were developed, which allowed scripts to be embedded in the resource to provide simple dynamic functionality, such as user interaction and animated menus.
AJAX, which is shorthand for asynchronous JavaScript and Extensible Markup Language (XML) is a group of interrelated web development techniques used on the client-side to create interactive web applications. The use of AJAX techniques has led to a dramatic increase in interactive or dynamic interfaces on web pages.
Today, AJAX applications can rival desktop applications when it comes to speed and performance.
FIG. 1 is a diagram illustrating the operation of a typical web browser. A resource, such as a web page, is downloaded from a web server 100. Images from the web page are separated out by an image separator 102. The web page is then fed to a document object model (DOM) parser 104, which parses the web page into a DOM data structure (commonly referred to as a DOM tree) 106. The DOM tree 106 is an abstract syntax tree of the document. Content referenced by the web page is then fetched from the web server 100 and in-lined into the DOM. As the content necessary to display the page is downloaded and decompressed, the web page becomes available for viewing. Typically the web page layout is incrementally solved and drawn to the screen. A layout module 108 performs the laying out of the elements of the web page, along with images decoded by image decoder 110. A rendering module 112 then renders the web page in the browser window.
After the initial page load, scripts 114 (written in, for example, JavaScript) respond to events (such as events generated by user input or server messages). The scripts can then rewrite the DOM tree 106 based on the events. This, in turn, causes the page layout to be recomputed and redrawn.
The primary use of JavaScript is to write functions that are embedded in web pages and interact with the DOM tree of the page. Typically such scripts are delineated by the <script> and </script> tags. Some examples of script functionality include:                Opening or popping up a new window with programmatic control over the size, position, and attributes of the new window (e.g., whether the menus, toolbars, etc. are visible).        Validation of web form input values to ensure that they will be accepted before they are submitted to the server.        Changing images as the mouse cursor moves over them (e.g., to draw the user's attention to important links displayed as graphical elements).        
Because JavaScript code can run locally in a user's browser (rather than needing to execute on a remote server), it can respond to user actions quickly, making the browser seem more responsive. It is this responsiveness that has allowed browsers to progress from the stage of merely displaying static web pages, to acting as full-blown applications of their own. Indeed, many types of tasks typically reserved for stand-alone applications, such as word processing tasks, spreadsheet tasks, and media player tasks can now be executed from within a browser itself without requiring stand-alone applications. These are referred to as web applications, even though their execution may require little or no interaction with the World Wide Web.
JavaScript can also detect user actions which HyperText Markup Languages (HTML) alone cannot, such as individual keystrokes. Applications such as Gmail take advantage of this, as much of its user-interface is written in JavaScript, and JavaScript dispatches requests for information (such as the content of an e-mail message) to the server.
A JavaScript engine (also known as a JavaScript interpreted or a JavaScript implementation) interprets JavaScript source code and executes the script accordingly. Most commonly this engine executed from within a web browser. Web browsers usually use a public Application Programming Interface (API) to create host objects responsible for reflecting the DOM tree into JavaScript.
Security is a big concern when it comes to interaction with networked computers, and with the Internet in particular. Access to various resources must be controlled in order to prevent malicious or accidental misuse of such resources. JavaScript and other dynamic runtime environments allow various actions that present security risks. These actions include:                Accessing cookies        Communication with a web server        Accessing local resources on the host device        Accessing DOM elements of a web page        
The World Wide Web Consortium (W3C) standardizes security access rules for these types of actions. One such standardization is known as the “same origin policy”. The term “origin” refers to a triple of (domain name, protocol, and port number) of a web page containing a particular script or resource. According to the same origin policy, two resources must have identical triples in order to be considered as being of the same origin. Only resources with the same origins are permitted to access resources associated with each other.
Cookies are handled differently than network accesses. A cookie is a small file stored on a user's computer by a web browser and includes one or more name-value pairs containing bits of information such as user preferences, shopping cart contents, the identifier for a server-based session, or other data used by websites. It is sent as an HyperText Transfer Protocol (HTTP) header by a web server to a web browser and then sent back unchanged by the browser each time it accesses that server. A cookie can be used for authenticating, session tracking (state maintenance), and remembering specific information about users, such as site preferences or the contents of their electronic shopping carts.
Rather than the (domain name, protocol, and port number) triple, access permissions for cookies rely on path information. Two paths must be identical in order for the JavaScript running on a web page of the first path to access a cookie of a web page of the second path. For example:    www.example.com/dir/page.html and    www.example.com/dir2/other.html    are two different paths and JavaScript running on the first page cannot directly access the cookie of the second, even though they have the same “origin” according to the same origin policy rules outlined above.
Local resources that can be accessed by JavaScript or other web scripting languages include local devices such as Global Positioning (GPS) units, cameras, etc. Such devices are commonplace now on cellular phones, which have now become popular web surfing platforms. The local resources also includes local file systems. W3C does not yet have a set of concrete access control rules for these types of accesses yet.
Existing access control checks are performed inside the web browser application itself. In other words, the web browser applications keep track of each page's origin, path, etc. and their access requests and make security decisions based on this information. This requires that the design of the web browser include security modules to handle such processing, which complicates the browser design. It also creates security problems. If a malicious page or web application can compromise a browser (e.g., via a buffer overflow), it can circumvent these security checks and gain full access to all browser data, including cookies or passwords of other pages. This would then also allow the malicious page or web application to access the local resources, which can have a devastating effect on the functioning of the user's device and compromise the user's privacy.
Plug-in support mechanisms cause additional security issues in browsers. A plug-in (also called a plugin, addin, add-in, addon, add-on, snap-in, or snapin) is a computer program that interacts with a host application (a web browser or email client, for example) to provide a certain, usually very specific, function on demand. Common plug-ins include Flash, QuickTime, Silverlight, etc.
Plug-ins run in the same address space as the web browser. Thus, there is no distinction between the primary browser code and the plug-in in terms of capabilities. In other words, a plug-in can access every system resource that a browser can access, including cookies, password files, and local resources. Since plug-ins are usually created and/or distributed by third-parties (i.e., parties other than the creator of the web browser), the threat that malicious code can be imported into the browser code via a plug-in is very high, as users aren't always as careful as they should be about which plug-ins they install.