Immersive experiences that mix digital and real-world objects are becoming reality. These experiences are already present on smartphones and game consoles via Kinect, and will eventually emerge on the device-agnostic web platform. These experiences raise serious privacy concerns, as they require real-time sensor input to appropriately intermingle digital and real-world objects. Previous research focuses on controlling application access to sensor input through filtering, access control, and sandboxing, which do not directly address the display tasks inherent to immersive experiences. Furthermore, these low-level solutions are a poor fit for integration with the high-level GUI toolkit in the web platform. This paper describes how to extend the existing web platform to enable least privilege for immersive rendering, and implements these extensions in a 3D web browser called SurroundWeb. The room skeleton lets applications place content in response to the physical dimensions and locations of renderable surfaces in a room. The detection sandbox lets applications declaratively place content near recognized objects in the room without revealing if the object is present. We demonstrate that these extensions reveal an acceptable amount of information to applications, can be used to implement a wide range of previously proposed immersive experiences with least privilege, and can be implemented with acceptable runtime overhead.