Mobile programs, like applets, are not only ubiquitous but also potentially malicious. We study the case where mobile programs are executed by a host system in a secured environment, in order to control the accesses from mobile programs to local resources. The article deals with the following question: how can we ensure that the local environment is secure? We answer by giving a confinement criterion: if the type of the local environment satisfies it, then no mobile program can directly access a local resource. The criterion, which is type-based and hence decidable, is valid for a functional language with references. By proving its validity, we solve a conjecture stated by Leroy and Rouaix at POPL '98. Moreover, we show that the criterion cannot be weakened by giving counter-examples for all the environment types that do not satisfy the criterion, and that it is pertinent by detailing the example of a specific security architecture. The main contribution of the article is the proof method, based on a language annotation that keeps track of code origin and that enables the study of the interaction frontier between the local code and the mobile code. The generalization of the method is finally discussed.