Nowadays, more and more applications are built with web technologies like HTML, CSS, and JavaScript, which are then executed in browsers. The web is utilized as an operating system independent application platform. With this change, authorization models change and no longer depend on operating system accounts and underlying access controls and file permissions. Instead, these accounts are now implemented in the applications themselves, including all of the protective measures and security controls that are required for this. Because of the inherent complexity, flaws in the authorization logic are among the most common security vulnerabilities in web applications. Most applications are built on the concept of the Access-Control List (ACLs), a security model that decides who can access what object. Object Capabilities, transferable rights to perform operations on specific objects, have been proposed as an alternative to ACLs, since they are not susceptible to certain attacks prevalent for ACLs. While their use has been investigated for various domains, like smart contracts, they have not been widely applied for web applications. In this paper, we therefore present a general overview of the capability based authorization model and adapt those approaches for use in web applications. Based on a prototype implementation, we show the possibilities of Object Capabilities to enhance security, but also provide insights on existing pitfalls and problems in porting such models to the web domain.