← All posts
6 min read

What a Browser Does: From URL to Interactive Page

#technology#computer-science#browser#web
📑 On this page

A browser is not merely a program that downloads an HTML file. It is a network client, document processor, programming runtime, graphics engine, storage manager, and security boundary.

A browser obtains web resources, interprets their structure and presentation, executes permitted code, enforces origin rules, and renders an interactive result.

One visible page can involve many processes, requests, and rendering stages.

When you enter a URL, the browser:

  1. Parses scheme, host, port, path, query, and fragment.
  2. Applies browser policies and possible redirects.
  3. Checks caches and service workers.
  4. Resolves the domain if needed.
  5. Chooses a network route and protocol.
  6. Establishes HTTPS.
  7. Sends an HTTP request.

Autocomplete and search behavior may transform text before navigation. Typing words without a valid scheme or domain can send a search query instead.

Networking

The browser relies on the operating system and its own networking stack.

It manages:

  • Connection reuse
  • HTTP/2 or HTTP/3 streams
  • Proxy settings
  • Cookies
  • Caching
  • Redirects
  • Authentication
  • Compression

Modern browsers can request many resources concurrently while respecting priorities and server capabilities.

The main HTML often reveals additional dependencies only after parsing begins.

Parsing HTML

The browser reads HTML and builds the Document Object Model, or DOM.

The DOM is a tree of nodes representing elements, text, attributes, and relationships.

Malformed HTML does not usually stop the browser. Parsing rules define error recovery so old and imperfect pages render consistently.

Parsing can begin before the complete response arrives, enabling progressive rendering.

Scripts can pause parsing if they must execute before later markup is interpreted.

Parsing CSS

CSS resources are parsed into structures representing style rules.

The browser combines:

  • Browser defaults
  • User preferences
  • Page styles
  • Inline declarations
  • Inheritance
  • Cascade and specificity

It determines the computed style for relevant elements.

CSS can block initial rendering because drawing unstyled content and then rearranging it can create a disruptive flash.

JavaScript execution

JavaScript can:

  • Read and modify the DOM
  • Change styles
  • Respond to events
  • Request data
  • Use browser APIs
  • Store state

The browser's JavaScript engine parses and compiles code, manages memory, and performs garbage collection.

Most page JavaScript on the main thread shares time with input handling and rendering. Long-running code can make the interface freeze.

Web workers allow selected JavaScript to run in background threads without direct DOM access.

Style, layout, paint, and composite

Rendering can be simplified into stages:

Style

Determine which CSS rules apply.

Layout

Calculate element sizes and positions.

Paint

Create drawing commands for text, backgrounds, borders, shadows, and images.

Composite

Combine painted layers, often using the GPU, into the final frame.

Changes can trigger different amounts of work. Updating a transform may require only compositing, while changing an element's width can force layout for surrounding content.

Browsers optimize aggressively, but page design still matters.

A concrete page load

Suppose a news site loads:

  1. Browser requests HTML.
  2. Parser finds a stylesheet and starts downloading it.
  3. It discovers images and preload hints.
  4. A deferred script downloads without blocking HTML parsing.
  5. CSS is parsed and styles computed.
  6. Initial layout and paint create visible content.
  7. JavaScript attaches event listeners.
  8. An API request fetches personalized stories.
  9. DOM updates add those stories.
  10. Images decode and replace placeholders.

The page can become useful before every resource finishes.

Performance metrics distinguish first content, largest visible content, interaction responsiveness, and layout stability.

Browser processes and sandboxes

Modern browsers often separate:

  • Browser UI and privileged coordination
  • Site renderer processes
  • Network services
  • GPU process
  • Utility processes

Renderer sandboxes restrict direct operating-system access.

Site isolation can place different sites into separate processes, limiting the damage if one renderer is compromised.

This architecture costs memory but improves security and crash containment.

Same-origin policy

The same-origin policy prevents a page from freely reading data from another origin.

An origin consists of:

scheme + host + port

Cross-origin resource sharing, or CORS, lets servers grant controlled reading permission.

CORS is enforced by browsers. It is not a firewall and does not prevent non-browser clients from making requests.

Other mechanisms, such as Content Security Policy, restrict where resources and scripts can come from.

Storage and state

Browsers manage:

  • Cookies
  • Local storage
  • Session storage
  • IndexedDB
  • HTTP cache
  • Service-worker cache

Storage is partitioned or restricted increasingly to reduce cross-site tracking.

Private-browsing modes limit persistence but do not make activity invisible to networks, employers, websites, or downloaded malware.

Developer tools

Browser developer tools expose:

  • DOM and styles
  • Network timing
  • Console messages
  • JavaScript debugging
  • Storage
  • Performance profiles
  • Accessibility tree

The Network panel can reveal whether a delay comes from DNS, connection, server wait, download, or a blocked dependency.

The Performance panel can show long JavaScript tasks, layout, paint, and frame timing.

These tools turn a page from a black box into observable stages.

Extensions

Extensions can modify pages and browser behavior.

Depending on permission, an extension may read browsing data, alter content, block requests, or access tabs.

Install only trusted extensions and review permissions. A compromised extension can see sensitive information even when HTTPS protects the network connection.

Browser security includes the code allowed inside the endpoint, not only transport encryption.

Common misunderstandings

"The browser displays the HTML file directly"

It parses HTML into a DOM, combines styles, executes code, calculates layout, paints, and composites.

"CORS protects a server from all unwanted requests"

It controls whether browser scripts can read cross-origin responses. Servers still need authentication and request validation.

"Private browsing makes a user anonymous"

It mainly limits local history and storage persistence.

"A page finishing download means it is ready"

Parsing, JavaScript, rendering, fonts, images, and API requests can continue after network transfer.

Knowledge check

1. What tree does HTML parsing create?

The Document Object Model, or DOM.

2. What are the four simplified rendering stages?

Style calculation, layout, paint, and compositing.

3. Why do browsers use separate renderer processes?

They improve site isolation, crash containment, and sandbox security.

4. What does the same-origin policy restrict?

It prevents one origin's page from freely reading protected data belonging to another origin.

The one idea to remember

A browser is a complete application platform, not a passive page downloader.

It coordinates networking, parsing, code execution, security, storage, layout, graphics, accessibility, and user interaction to turn web resources into an experience.

Next, we will focus on HTML, the language that gives web content structure and meaning.