Web browsers were originally designed and built as single principal platforms on which a principal, namely a web site, is viewed one at a time and the browser resources are devoted to that site. Web sites then evolved from static, single principal pages, to pages that include foreign content by using tags with a “src” attribute and dynamic content that uses JavaScript® and similar technologies. The Same Origin Policy (SOP) was introduced to try and completely isolate web sites from one another and prevent cross-domain interactions and interferences.
However, with the advent of asynchronous communications and client mashups, the SOP's complete isolation has become too restrictive for this new generation of web services that demand rich cross-domain interactions. While current web browsers have evolved to meet web services' demands, they are still built on top of the old single principal architecture. In these architectures, protection is realized by adding pervasive checks to the existing browser software at the object property and method level rather than by using operating system processes and hardware protections.
Construction in this architecture is error-prone, as is manifested by many vulnerabilities in existing browsers. Often, a vulnerability exploited by a single change to a web site principal compromises the browser and all other principals. Furthermore, browser plugins are treated as part of the browser's trusted computing base and can have direct interactions with system resources. Plugins may even have their own security policies. As a result, compromising a plugin compromises the entire browser, and potentially the entire system.
As the world migrates to a software-as-service paradigm and browsers become a dominant computing platform, the single-principal based browser platform has become an easy target. Widespread web attacks are costly and devastating. While some browsers use OS processes to provide isolation across browser tabs, this granularity of isolation is insufficient because a user may browse multiple mutually distrusting sites in a single tab. Furthermore, a single page may contain an iframe or other embedded content from an untrusted site (e.g., ads).
Thus, what is desired what is desired is a browser operating system which aligns the unit of protection with the existing web site principal. The unit of protection may be an OS process or some other protection mechanisms.