Security Activity Proposal (July 2011)

This Activity Proposal is public.

Executive Summary

This is a proposal to add a Web Application Security Working Group and a Security Interest Group to the Security Activity. The Web Application Security Working Group is proposed to deliver lightweight policy expression to enhance the security of mash-ups and modern Web applications. The Web Security Interest Group is chartered as a gathering place for interested parties, and as a resource that Working Groups can turn to to elicit security expertise.

The existing XML Security Working Group remains unchanged.

Acceptance of this proposal will result in an extension of the Security Activity through 31 March 2013.

This Activity Proposal follows section 5.3 of the Process Document.

Web and Web Application Security


With the emergence of the Open Web Platform as an application platform, the question of security policies for modern Web Applications gains increasing importance: Modern Web Applications may be governed by numerous security policies which are documented in a number of specifications, including HTML5 and XMLHttpRequest. Unfortunately, these policies are not implemented uniformly across major web browsers and plugins, are inadequate for certain use cases. Because there is no standard, shared mechanism for declaring and enforcing policies it is not possible for sites to selectively declare the need to escape from some restrictions or to request enforcement of additional restrictions.

These issues are especially relevant for the many web applications which incorporate, or "mashup", other web application resources. That is, they comprise multiple origins (i.e., security principals).

Charter Overview: Web Application Security Working Group

The proposed Web Application Security Working Group (charter) addresses these issues by developing a policy mechanism providing web application administrators a standardized means for security policy declaration, based on the existing Content Security Policy specification. Informal drafts of that specification are seeing deployment in Firefox and Google Chrome, and on Web properties like Twitter. Further, the Working Group is chartered to - jointly with the Web Applications Working Group - finalize the CORS and Unified Messaging Policy specifications to enable secure cross-origin applications.

Initial Chairs: Brad Hill (Paypal); Eric K. Rescorla (Invited Expert)
Initial Team Contact: Thomas Roessler (10%)

Charter Overview: Security Interest Group

The proposed Security Interest Group (charter) creates a chartered structure around the existing informal public-web-security mailing list, and enables discussion among interested parties of ways to improve the security of the specifications and implementations that together create the Open Web Platform. The IG can further serve as a locus of expertise that other W3C groups can turn to in order to ask for security-related expertise.

Initial Chairs: Adam Barth (Google, Inc.)
Initial Team Contact: Thomas Roessler (5%)

Resource Statement

0.35 FTE of Team resources will be allocated to this Activity at this point. The overall resource commitment for this activity will not change as a result of this proposal, as resources are reallocated from the XML Security Working Group to the newly proposed groups.

Intellectual Property

All new Working Groups chartered in the W3C Security Activity are operating under the W3C Patent Policy of 5 February 2004 version. To promote the widest adoption of Web standards, W3C seeks to issue Recommendations that can be implemented, according to this policy, on a Royalty-Free basis.


An extension of the Security Activity through 31 March 2013 is proposed.

Overview of Modified Activity Structure

Group Chair Team Contact Charter
Web Application Security Working Group Brad Hill (Paypal)
Eric K. Rescorla (Invited Expert)
Thomas Roessler Proposed until 31 March 2013
Web Security Interest Group Adam Barth (Google) Thomas Roessler Proposed until 31 March 2013
XML Security Working Group Frederick Hirsch (Nokia) Thomas Roessler Chartered until 31 May 2010; extended until 30 June 2012

Please refer to the member-confidential effort table for details about allocated Team effort.


The Lead for the Security Activity is Thomas Roessler <tlr@w3.org>.

$Id: security-activity.html,v 1.13 2008/03/19 18:41:20 roessler Exp $