The Web is playing a very important role in our lives, and is becoming an essential element of the computing infrastructure. With such a glory come the attacks–the Web has become criminals’ preferred targets. Web-based vulnerabilities now outnumber traditional computer security concerns. Although various security solutions have been proposed to address the problems on the Web, few have addressed the root causes of why web applications are so vulnerable to these many attacks. We believe that the Web’s current access control models are fundamentally inadequate to satisfy the protection needs of today’s web, and they need to be redesigned. In this extended abstract, we explain our position, and summarize our efforts in redesigning the Web’s access control systems.