Once a web application authenticates a user, it loosely associates all resources owned by the user to the web session established. Consequently, any scripts injected into the victim web session attain unfettered access to user-owned resources, including scripts that commit malicious activities inside a web application. In this paper, we establish the first explicit notion of user sub-origins to defeat such attempts. Based on this notion, we propose a new solution called USERPATH to establish an end-to-end trusted path between web application users and web servers. To evaluate our solution, we implement a prototype in Chromium, and retrofit it to 20 popular web applications. USERPATH reduces the size of client-side TCB that has access to user-owned resources by 8x to 264x, with small developer effort.