Providing security guarantees for software systems built out of untrusted components requires the ability to enforce fine-grained access control policies. This is evident in Web 2.0 applications where JavaScript code from different origins is often combined on a single page, leading to well-known vulnerabilities. We present a security infrastructure which allows users and content providers to specify access control policies over subsets of JavaScript execution traces and reversion to a safe state if a violation is detected. The proposal is evaluated in the context of a production browser where security principals are based on the browser's same origin policy. Simple security policies can be shown to prevent real attacks without imposing drastic restrictions on legacy applications. We have evaluated our infrastructure with two non-trivial policies on 50 of the Alexa top websites with no changes to the legacy JavaScript code and measured the performance overheads of our instrumentation.