This is a draft document for formal W3C Advisory Committee review. Please refer to the final charter.
The mission of the Web Application Security Working Group, part of the Security Activity, is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-site communication.
|End date||31 March 2013
|Confidentiality||Proceedings are public|
|Initial Chairs||Brad Hill (Paypal)
Eric K. Rescorla (Invited Expert)
|Initial Team Contacts
(FTE %: 10)
|Usual Meeting Schedule||Teleconferences: Weekly
Face-to-face: Once Annually, at the W3C Technical Plenary
Modern Web Applications may be governed by numerous security policies which are documented in a number of specifications, including HTML5 and XMLHttpRequest. Unfortunately, these policies are not implemented uniformly across major web browsers and plugins, and are inadequate for certain use cases. Because there is no standard, shared mechanism for declaring and enforcing policies it is not possible for sites to selectively declare the need to escape from some restrictions or to request enforcement of additional restrictions.
These issues are especially relevant for the many web applications which incorporate other web application resources (mashups). That is, they comprise multiple origins (i.e., security principals).
Areas of scope for this working group include:
The Web Application Security (WebAppSec) Working Group will develop a policy mechanism providing web application administrators a standardized means for security policy declaration, based on the existing Content Security Policy specification.
The WebAppSec Working Group also will develop one or more recommendation(s) to enable secure, cross-origin applications, as joint work with the Web Applications Working Group, based on the current Cross Origin Resource Sharing and Uniform Messaging Policy specifications.
To advance to Proposed Recommendation, each specification is expected to have two independent implementations of each feature described in the specification.
|Note: The group will document significant changes from this initial schedule on the group home page.|
|Content Security Policy
|Secure Cross-Domain Resource
||(not applicable)||May 2012||July 2012||September 2012||October 2012|
|Secure Cross-Domain Framing
||November 2011||August 2012||October 2012||December 2012||January 2013|
To be successful, the Web Application Security Working Group is expected to have 10 active participants for its duration. Effective participation to Web Application Security Working Group is expected to consume one day per week for chairs and editors. The Web Application Security Working Group will allocate also the necessary resources for building Test Suites for each specification.
This group primarily conducts its work on the public mailing list email@example.com.
Information about the group (deliverables, participants, face-to-face meetings, teleconferences, etc.) is available from the Web Application Security Working Group home page.
As explained in the Process Document (section 3.3), this group will seek to make decisions when there is consensus. When the Chair puts a question and observes dissent, after due consideration of different opinions, the Chair should record a decision (possibly after a formal vote) and any objections, and move on.
This Working Group operates under the W3C Patent Policy (5 February 2004 Version). To promote the widest adoption of Web standards, W3C seeks to issue Recommendations that can be implemented, according to this policy, on a Royalty-Free basis.
For more information about disclosure obligations for this group, please see the W3C Patent Policy Implementation.
This charter for the Web Application Security Working Group has been created according to section 6.2 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
$Date: 2011/08/31 09:20:33 $