@@ -120,7 +120,8 @@ In the present document "**should** ", "**should not** ", "**may** ", "**need no
# Executive summary
Browsers represent one of the most complex and security-critical software products in modern computing, serving as the primary gateway between users and internet resources while processing untrusted content from millions of sources daily. The browser's architecture encompasses multiple interconnected subsystems, including rendering engines, JavaScript execution environments, network stacks, and extension frameworks, each presenting distinct attack surfaces that must be defended while maintaining performance, compatibility with legacy web content, and user autonomy.
Browsers represent one of the most complex and security-critical software products in modern computing, serving as the primary gateway between users and internet resources while processing untrusted content from millions of sources daily. The browser's architecture encompasses multiple interconnected subsystems—including rendering engines, JavaScript/WebAssembly execution environments, network stacks, and extension frameworks, each presenting distinct attack surfaces that must be defended while maintaining performance, compatibility with legacy web content, and user autonomy.
Unlike traditional security products that can enforce restrictive controls, browsers must balance protection against an evolving threat landscape with respect for user choice, creating unique challenges where users may deliberately choose to visit malicious sites, install risky extensions, or disable security features. The browser's multi-layered trust model, spanning from the highly privileged browser core through semi-trusted extensions to completely untrusted web content, requires sophisticated isolation mechanisms, granular permission systems, and careful mediation of system resource access.
@@ -143,9 +144,9 @@ Within the context of an operating system, browsers are user-applications with a
The activity of browsing can be defined in the following steps:
1. A machine accesses remote resources and source code, such as HTML, JavaScript, and CSS.
1. A machine accesses remote resources and source code, such as HTML, JavaScript/WebAssembly, and CSS.
2. This source is represented visually, acoustically, or in some other form.
3. The user interacts with this representation by looking, reading, entering data, clicking, etc.
3. The user interacts with the rendered representation through input and output interfaces, including visual observation, text entry, pointer interaction, or other supported input modalities.
## 1.1 Browser
@@ -516,16 +517,18 @@ This requirement for user agency fundamentally shapes the browser security model
#### 4.6.1.1 Domain and Origin Isolation
**[DOM]** The manufacturer shall implement security boundaries between different web contexts to prevent unauthorized cross-domain access and maintain the integrity of the same-origin policy.
**[DOM]** The manufacturer shall ensure that execution contexts belonging to different origins are securely isolated to prevent unauthorized data access, code execution, or state manipulation across boundaries.
Isolation shall include process separation, independent storage and cache spaces, and validation of all cross-origin communication through standardized, browser-mediated mechanisms such as Cross-Origin Resource Sharing (CORS), which allows controlled sharing of resources between origins through validated HTTP headers, and postMessage, which provides a secure message-passing interface between isolated contexts (e.g. frames or windows).
Any relaxation of isolation shall be explicitly authorized, documented, and monitored to prevent data leakage or privilege escalation.
**Capability**: Browser implements domain URL isolation and origin-based security contexts (protocol, domain, port combinations)
**Capability**: Browser enforces isolation between domains and origins (defined by scheme, host, and port) to protect integrity and confidentiality of data and execution.
**Conditions**:
- DOM-0: Strict isolation enforced with no relaxation mechanisms
- DOM-1: Isolation with controlled relaxation (CORS, postMessage)
- DOM-2: Isolation with user-configurable exceptions
- DOM-3: Isolation with extensive third-party integration points
* DOM-0: Full isolation: Each origin is strictly separated. No mechanism exists for cross-origin access or relaxation.
* DOM-1: Controlled isolation: Isolation is enforced by default but may be selectively relaxed through standardized, browser-mediated mechanisms (e.g. CORS or postMessage) with explicit validation.
* DOM-2: Configurable isolation: Isolation is enforced by default, but users or administrators can define exceptions via explicit configuration or policy.
* DOM-3: Integrated isolation: Isolation remains in place, but third-party integrations, compatibility modes, or embedded components may introduce controlled exceptions under defined policies.
