Capabilities are used to control access to system resources. In modern programming languages that execute code with different levels of trust in the same process, the propagation of such capabilities must be controlled so that they cannot unintentionally be obtained by unauthorised code. In this paper, we present a statically-checked type system for object-oriented programming languages which guarantees that capabilities are restricted to authorised code. Capabilities are regarded as types that are granted to code based on a user-defined policy file (similar to that used by Java). In order to provide a finer-grained access control, the type system supports parameterised capabilities to more precisely identify system resources. The approach ...