Web browsers have become a mandatory component of existing in modern society, acting like an operating system for our daily lives. Yet browsers’ safety measures fall short of the unprecedented complexity they have taken on to support this, and these lapses are weaponized against web users by criminals and legitimate businesses alike. Cybersecurity trainings teach us to fear clicking the wrong link, lest attackers hijack our computers; meanwhile, a thriving surveillance economy milks our private data from every available JavaScript API. Tearing it all down and rebuilding from scratch isn’t an option, so this dissertation demonstrates how programming language techniques can harden the browsers we have—instead of the browsers we wish we had—with stronger foundational protections.

We seek to make browsers safer from two angles, security and privacy, and introduce new approaches to both. On the security side, programming language techniques eliminate whole classes of bugs by design. We contribute ICARUS, a domain-specific language and framework for developing formally-verified just-in-time (JIT) compilers targeted at building better JavaScript engines; and Proton, a system for injecting flexible runtime checks into production browser JITs, applying techniques from compiler validation research to JIT-generated programs in-the-wild. On the privacy front, programming language techniques give us principled ways to instrument and neutralize the trackers that stalk us online. We expose how browsers reveal our browsing habits to attackers in the same ways as 20 years ago, now abetted by the sprawling API surface of the modern web, and propose architectural defenses to plug these leaks for good. We also arm content-blocker developers—at the front lines of fending off attacks on user privacy—with automated tools to scale their efforts, including SugarCoat, which uses dynamic program analysis to locate and patch out privacy-harming behaviors in real-world tracking scripts. Our contributions are designed with deployability at the top of mind, without sacrificing performance or forcing web platform engineers to slow their development velocity. On the contrary: we hope that providing force multipliers to those safeguarding the web will help them more confidently push the limits of this platform without tearing holes in user security and privacy.