What a Browser Does: From URL to Interactive Page
📑 On this page
- Navigation begins with a URL
- Networking
- Parsing HTML
- Parsing CSS
- JavaScript execution
- Style, layout, paint, and composite
- Style
- Layout
- Paint
- Composite
- A concrete page load
- Browser processes and sandboxes
- Same-origin policy
- Storage and state
- Developer tools
- Extensions
- Common misunderstandings
- "The browser displays the HTML file directly"
- "CORS protects a server from all unwanted requests"
- "Private browsing makes a user anonymous"
- "A page finishing download means it is ready"
- Knowledge check
- The one idea to remember
A browser is not merely a program that downloads an HTML file. It is a network client, document processor, programming runtime, graphics engine, storage manager, and security boundary.
A browser obtains web resources, interprets their structure and presentation, executes permitted code, enforces origin rules, and renders an interactive result.
One visible page can involve many processes, requests, and rendering stages.
Navigation begins with a URL
When you enter a URL, the browser:
- Parses scheme, host, port, path, query, and fragment.
- Applies browser policies and possible redirects.
- Checks caches and service workers.
- Resolves the domain if needed.
- Chooses a network route and protocol.
- Establishes HTTPS.
- Sends an HTTP request.
Autocomplete and search behavior may transform text before navigation. Typing words without a valid scheme or domain can send a search query instead.
Networking
The browser relies on the operating system and its own networking stack.
It manages:
- Connection reuse
- HTTP/2 or HTTP/3 streams
- Proxy settings
- Cookies
- Caching
- Redirects
- Authentication
- Compression
Modern browsers can request many resources concurrently while respecting priorities and server capabilities.
The main HTML often reveals additional dependencies only after parsing begins.
Parsing HTML
The browser reads HTML and builds the Document Object Model, or DOM.
The DOM is a tree of nodes representing elements, text, attributes, and relationships.
Malformed HTML does not usually stop the browser. Parsing rules define error recovery so old and imperfect pages render consistently.
Parsing can begin before the complete response arrives, enabling progressive rendering.
Scripts can pause parsing if they must execute before later markup is interpreted.
Parsing CSS
CSS resources are parsed into structures representing style rules.
The browser combines:
- Browser defaults
- User preferences
- Page styles
- Inline declarations
- Inheritance
- Cascade and specificity
It determines the computed style for relevant elements.
CSS can block initial rendering because drawing unstyled content and then rearranging it can create a disruptive flash.
JavaScript execution
JavaScript can:
- Read and modify the DOM
- Change styles
- Respond to events
- Request data
- Use browser APIs
- Store state
The browser's JavaScript engine parses and compiles code, manages memory, and performs garbage collection.
Most page JavaScript on the main thread shares time with input handling and rendering. Long-running code can make the interface freeze.
Web workers allow selected JavaScript to run in background threads without direct DOM access.
Style, layout, paint, and composite
Rendering can be simplified into stages:
Style
Determine which CSS rules apply.
Layout
Calculate element sizes and positions.
Paint
Create drawing commands for text, backgrounds, borders, shadows, and images.
Composite
Combine painted layers, often using the GPU, into the final frame.
Changes can trigger different amounts of work. Updating a transform may require only compositing, while changing an element's width can force layout for surrounding content.
Browsers optimize aggressively, but page design still matters.
A concrete page load
Suppose a news site loads:
- Browser requests HTML.
- Parser finds a stylesheet and starts downloading it.
- It discovers images and preload hints.
- A deferred script downloads without blocking HTML parsing.
- CSS is parsed and styles computed.
- Initial layout and paint create visible content.
- JavaScript attaches event listeners.
- An API request fetches personalized stories.
- DOM updates add those stories.
- Images decode and replace placeholders.
The page can become useful before every resource finishes.
Performance metrics distinguish first content, largest visible content, interaction responsiveness, and layout stability.
Browser processes and sandboxes
Modern browsers often separate:
- Browser UI and privileged coordination
- Site renderer processes
- Network services
- GPU process
- Utility processes
Renderer sandboxes restrict direct operating-system access.
Site isolation can place different sites into separate processes, limiting the damage if one renderer is compromised.
This architecture costs memory but improves security and crash containment.
Same-origin policy
The same-origin policy prevents a page from freely reading data from another origin.
An origin consists of:
scheme + host + portCross-origin resource sharing, or CORS, lets servers grant controlled reading permission.
CORS is enforced by browsers. It is not a firewall and does not prevent non-browser clients from making requests.
Other mechanisms, such as Content Security Policy, restrict where resources and scripts can come from.
Storage and state
Browsers manage:
- Cookies
- Local storage
- Session storage
- IndexedDB
- HTTP cache
- Service-worker cache
Storage is partitioned or restricted increasingly to reduce cross-site tracking.
Private-browsing modes limit persistence but do not make activity invisible to networks, employers, websites, or downloaded malware.
Developer tools
Browser developer tools expose:
- DOM and styles
- Network timing
- Console messages
- JavaScript debugging
- Storage
- Performance profiles
- Accessibility tree
The Network panel can reveal whether a delay comes from DNS, connection, server wait, download, or a blocked dependency.
The Performance panel can show long JavaScript tasks, layout, paint, and frame timing.
These tools turn a page from a black box into observable stages.
Extensions
Extensions can modify pages and browser behavior.
Depending on permission, an extension may read browsing data, alter content, block requests, or access tabs.
Install only trusted extensions and review permissions. A compromised extension can see sensitive information even when HTTPS protects the network connection.
Browser security includes the code allowed inside the endpoint, not only transport encryption.
Common misunderstandings
"The browser displays the HTML file directly"
It parses HTML into a DOM, combines styles, executes code, calculates layout, paints, and composites.
"CORS protects a server from all unwanted requests"
It controls whether browser scripts can read cross-origin responses. Servers still need authentication and request validation.
"Private browsing makes a user anonymous"
It mainly limits local history and storage persistence.
"A page finishing download means it is ready"
Parsing, JavaScript, rendering, fonts, images, and API requests can continue after network transfer.
Knowledge check
1. What tree does HTML parsing create?
The Document Object Model, or DOM.
2. What are the four simplified rendering stages?
Style calculation, layout, paint, and compositing.
3. Why do browsers use separate renderer processes?
They improve site isolation, crash containment, and sandbox security.
4. What does the same-origin policy restrict?
It prevents one origin's page from freely reading protected data belonging to another origin.
The one idea to remember
A browser is a complete application platform, not a passive page downloader.
It coordinates networking, parsing, code execution, security, storage, layout, graphics, accessibility, and user interaction to turn web resources into an experience.
Next, we will focus on HTML, the language that gives web content structure and meaning.