In this paper we propose enhancing Web clients with new security mechanisms that can not only prevent ex- isting attacks, but are able to enforce all security policies based on monitoring client behavior. In particular, our new mechanisms support policies that range from disal- lowing use of certain Web client features (., IFRAMEs or OBJECTs) to fine-grained, application-specific invari- ants such as taint-based policies that regulate the flow of credit-card information input by the user. Concretely, we propose that client-side enforcement proceed through a new client mechanism: Mutation- Event Transforms, or METs. METs are introduce here; some details like how to prevent their subversion are in Appendix A. METs allowWeb application security poli- cies.
