This is DRAFT PROPOSED CHARTER. Please send comments to public-webappsec@w3.org
The mission of the Web Application Security Working Group, part of the Security Activity, is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-origin communication.
End date | 31 December 2016 |
---|---|
Confidentiality | Proceedings are public |
Chairs | Brad Hill, Dan Veditz |
Team Contacts (FTE %: 10) |
Wendy Seltzer |
Usual Meeting Schedule | Teleconferences: Bi-Weekly
Face-to-face: 1-2 annually |
Modern Web Applications are composed of many parts and technologies. They may transclude, reference or have information flows between resources at the same, related or different origins. Due to the historically coarse-grained nature of the security boundaries and principals defined for such applications, they can be very difficult to secure.
In particular, application authors desire uniform policy mechanisms to allow application components to drop privileges and reduce the chance they will be exploited, or that exploits will compromise other content, to isolate themselves from vulnerabilities in content that might otherwise be within the same security boundaries, and to communicate securely across security boundaries. These issues are especially relevant for the many web applications which incorporate other web application resources (mashups). That is, they comprise multiple origins (i.e., security principals).
Areas of scope for this working group include:
The WG will design mechanisms to allow applications to:
Several mechanisms for secure resource sharing and messaging across origins exist or are being specified, but several common and desirable use cases are not covered by existing work, such as:
Given the ad-hoc nature in which many important security features of the Web have evolved, providing uniformly secure experiences to users is difficult for developers. The WG will document and create uniform experiences for several undefined areas of major utility, including:
In addition to developing Recommendation Track documents in support of these goals, the Web Application Security Working Group may provide review of specifications from other Working Groups, in particular as these specifications touch on chartered deliverables of this group (in particular CSP), or the Web security model, and may also develop non-normative documents in support of Web security, such as developer and user guides for its normative specifications.
To advance to Proposed Recommendation, each specification is expected to have two independent implementations of each feature described in the specification.
All of the following deliverables are on or proposed for the Recommendation Track:
A policy language intended to enable web designers or server administrators to declare a security policy for a web resource. The goal of this specification is to reduce attack surface by specifying overall rules for what content may or may not do, thus preventing violation of security assumptions by attackers who are able to partially manipulate that content. Content Security Policy (CSP) Level 2 succeeds CSP 1.0, which will transition to WG Note status, and the WG will begin work on additional features while Level 2 advances from Candidate to full Recommendation.
Define a new HTTP header that allows authors to instruct user agents to remember ("pin") and enforce a Content Security Policy for a set of hosts for a period of time.
Create and advance existing recommendations specifying bi- directional parent/child policies to enable secure mash-up applications built around cross-domain framing. To express necessary constraints and demands, this deliverable will re-use and extend the policy language of the Content Security Policy deliverable with the goal of creating uniform semantics for requirements currently disjoint in expression and implementation across the CSP, the HTML5 IFRAME sandbox, and the X-Frame-Options HTTP header. This work will be closely coordinated with the IETF websec WG in order to avoid overlapping or conflicting specifications.
A recommendation for dealing with resources loaded over insecure channels in a secure web application. Use cases includes standard behaviors for user agents to follow when encountering insecure resource loads in a secure context. This might include definitions of “active” and “passive” content that must be blocked or can be loaded with a warning, and possibly ways for secure applications to consume insecure but non-sensitive resources (such as a weather feed).
Create a mechanism to assist in sites migrating from HTTP to HTTPS by allowing them to assert to a user agent that they intend a site to load only secure resources, and that insecure URLs ought to be treated as though they had been replaced with secure URLs. This functionality will be delivered either as a standalone recommendation, or as part of an update to the Mixed Content deliverable.
A recommendation for dealing with features which self-designate as requiring a privileged context to be enabled, e.g. because such features provide access to sensitive personal information. The recommendation will include non-normative advice on when a feature might designate itself as requiring a secure context and provide a normative algorithm for determining if a given context is privileged. This work will be a joint deliverable with the W3C Technical Architecture Group.
A recommendation for uniquely identifying resources loaded in a secure web application to detect and prevent potentially malicious modification. Use cases include adding integrity protections to sub-resource loads from HTML documents. This mechanism would have the goals of allowing resource authors to specify the exact hash value of cross- origin sub-resources. Possible future features may include allowing optimistic loading of such resources from content- aware caches or over insecure transports, provided appropriate privacy and security guarantees can be achieved. This work would be coordinated with and possibly be a joint deliverable with the HTML WG.
A recommendation for a header and meta tag allowing resource authors to specify a policy for the values sent as part of the HTTP Referer (sic) header. Use cases include making this policy more restrictive to protect applications which include security capability tokens in the URL, or allowing more permissive sharing of referrer information from secure to insecure origins to remove barriers which today prevent applications from moving to secure origins.
Create and advance recommendation(s) for a standardized API to address use cases related to assisted management of user credentials, including traditional username/password pairs, username/federated identity provider pairs. The API should allow for explicit and interoperable imperative mechanism for use and lifecycle management of these common credential types.
Create and advance a recommendation to allow applications to place themselves into namespaces within a traditional scheme/host/port RFC 6454 Origin label to enable easier development of modular applications with privilege separation.
Create and advance a recommendation for a robust JavaScript confinement system for modern web browsers, in a way that is backward-compatible with legacy web content. The goal of the specification is to define APIs for specifying privacy and integrity policies on data, in the form of origin labels, and a mechanism for confining browsing contexts (pages, iframes, etc.) according to these labels. This would allow Web application authors and server operators to share data with untrusted -- buggy but not malicious -- code (e.g., in a mashup scenario, cross-origin iframes) yet impose restrictions on how the code can further share the sensitive data.
An additional goal is to define a light-weight, in-thread Web Worker. This would allow developers to build privilege-separated, compartmentalized applications
Create and advance a recommendation to allow web applications to designate their entry points via a combination of headers and a policy manifest. Conformant user agents will restrict external navigations and other information flows into the application based on this policy to reduce the application's attack surface against Cross-Site Scripting and Cross Site Request Forgery.
Restricting deep-linking for non-security purposes is not a goal of this deliverable, and it should give resource owners no additional ability to do so beyond current abilities of the web platform, e.g. by providing a simple to deploy mechanism using client-side state to supplement what can already be accomplished by a less-scalable web application firewall. Preserving the ability to link on the web platform will be prioritized.
Create and advance a recommendation to allow web applications to be aware of the status of a given permission, to know whether it is granted, denied, or if the user will be asked whether the permission should be granted. This recommendation will not address user agent implementations of permissions, including their scope, duration, granularity, or user interface and experience for indicating, configuring, or asking for permissions.
Note: The group will document significant changes from this initial schedule on the group home page. | |||||
Specification | FPWD | LC | CR | PR | Rec |
---|---|---|---|---|---|
Content Security Policy Level 2 |
February 2015 |
April 2015 |
May 2015 |
||
Content Security Policy "Next" |
December 2014 | October 2015 | December 2015 | March 2016 | July 2016 |
UI Security Directives for CSP |
July 2015 | October 2015 | December 2015 | ||
Mixed Content |
November 2014 | January 2015 | March 2015 | August 2015 | |
Privileged Contexts |
November 2014 | January 2015 | March 2015 | August 2015 | |
Subresource Integrity |
January 2015 | March 2015 | May 2015 | July 2015 | |
Referrer Policy |
January 2015 | March 2015 | May 2015 | July 2015 | |
Credential Management API |
January 2015 | May 2015 | August 2015 | October 2015 | December 2015 |
Suborigin Namespaces |
January 2015 | May 2015 | August 2015 | October 2015 | December 2015 |
Confinement with Web Origin Labels |
January 2015 | May 2015 | August 2015 | October 2015 | December 2015 |
Entry Point Regulation for Web Applications |
January 2015 | May 2015 | August 2015 | October 2015 | December 2015 |
Permissions API |
January 2015 | May 2015 | August 2015 | October 2015 | December 2015 |
To be successful, the Web Application Security Working Group is expected to have 10 active participants for its duration. Effective participation to Web Application Security Working Group is expected to consume one day per week for chairs and editors. The Web Application Security Working Group will allocate also the necessary resources for building Test Suites for each specification.
This group primarily conducts its work on the public mailing list public-webappsec@w3.org (archive).
Information about the group (deliverables, participants, face-to-face meetings, teleconferences, etc.) is available from the Web Application Security Working Group home page.
As explained in the Process Document (section 3.3), this group will seek to make decisions when there is consensus. When the Chair puts a question and observes dissent, after due consideration of different opinions, the Chairs should put a question out for voting within the group (allowing for remote asynchronous participation -- using, for example, email and/or web-based survey techniques) and record a decision, along with any objections. The matter should then be considered resolved unless and until new information becomes available.
Any resolution first taken in a face-to-face meeting or teleconference [i.e., that does not follow a 7 day call for consensus on the mailing list] is to be considered provisional until 5 working days after the publication of the resolution in draft minutes, available from the WG's calendar or home page. If no objections are raised on the mailing list within that time, the resolution will be considered to have consensus as a resolution of the Working Group.
This Working Group operates under the W3C Patent Policy (5 February 2004 Version). To promote the widest adoption of Web standards, W3C seeks to issue Recommendations that can be implemented, according to this policy, on a Royalty-Free basis.
For more information about disclosure obligations for this group, please see the W3C Patent Policy Implementation.
This charter for the Web Application Security Working Group has been created according to section 6.2 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
Please also see the previous charter for this group.
Copyright© 2015 W3C ® (MIT, ERCIM, Keio, Beihang), All Rights Reserved.