Web Application Security Working Group Charter
| End date | 31 March 2013 |
|---|---|
| Confidentiality | Proceedings are public |
| Initial Chairs | Brad Hill (Paypal) Eric K. Rescorla (Invited Expert) |
| Initial Team Contacts (FTE %: 10) |
Thomas Roessler |
| Usual Meeting Schedule | Teleconferences: Weekly Face-to-face: Once Annually, at the W3C Technical Plenary |
Scope
Modern Web Applications may be governed by numerous security policies which are documented in a number of specifications, including HTML5 and XMLHttpRequest. Unfortunately, these policies are not implemented uniformly across major web browsers and plugins, and are inadequate for certain use cases. Because there is no standard, shared mechanism for declaring and enforcing policies it is not possible for sites to selectively declare the need to escape from some restrictions or to request enforcement of additional restrictions.
These issues are especially relevant for the many web applications which incorporate other web application resources (mashups). That is, they comprise multiple origins (i.e., security principals).
Areas of scope for this working group include:
- Attack Surface Reduction: The WG will design mechanisms to allow applications to restrict or forbid potentially dangerous features which they do not intend to use, thus limiting the attack surface.
- Secure Mashups: Several mechanisms for secure resource sharing and messaging across origins exist or are being specified, but several common and desirable use cases are not covered by existing work, such as: allowing child IFRAMEs to protect themselves from "clickjacking" or specify what characteristics a parent window must allow. The WG will design mechanisms and coordinate with existing and ongoing work in other forums to allow secure mashups.
- Manageability: The coarse-grained nature of security principals (origins) in web application security policies, (e.g. the Same Origin Policy) means that a security weakness in any origin's web application resources may create vulnerabilities for all web application resources of that origin, as well as for any other origins whose web applications interact with it. Mechanisms which require individual declaration at every resource or element are impractical for large scale sites, and also unsuitable for legacy applications not under active maintenance. Web application administrators should have available a small number of uniform policy control points from which to manage these risks.
The Web Application Security (WebAppSec) Working Group will develop a policy mechanism providing web application administrators a standardized means for security policy declaration, based on the existing Content Security Policy specification.
The WebAppSec Working Group also will develop one or more recommendation(s) to enable secure, cross-origin applications, as joint work with the Web Applications Working Group, based on the current Cross Origin Resource Sharing and Uniform Messaging Policy specifications. The Working Group may choose to progress either or both of UMP and CORS on the Recommendation Track, or may propose a harmonized specification.
Success Criteria
To advance to Proposed Recommendation, each specification is expected to have two independent implementations of each feature described in the specification.
Deliverables
- Content Security Policy (CSP)
- A policy language intended to enable web designers or
server administrators to declare web application content
security policy. The goal of this specification is to reduce
attack surface by specifying overall rules for what content
may or may not do, thus preventing violation of security
assumptions by attackers who are able to partially
manipulate that content.
- Secure Cross-Domain Resource Sharing
- Advance one or several existing recommendation-track documents specifying mechanisms necessary for secure mash-up applications, based on the existing UMP and CORS specifications. Such recommendations will be published as joint work with the Web Applications Working Group.
- Secure Cross-Domain Framing
- Create and advance existing recommendations specifying bi-directional parent/child policies to enable secure mashup applications built around cross-domain framing. To express necessary constraints and demands, this deliverable will re-use and extend the policy language of the Content Security Policy deliverable with the goal of creating uniform semantics for requirements currently disjoint in expression and implementation across the CSP, the HTML5 IFRAME sandbox, and the X-Frame-Options HTTP header. This work will be closely coordinated with the IETF websec WG and other frame policy related work in the IETF in order to avoid overlapping or conflicting specifications.
Milestones
| Note: The group will document significant changes from this initial schedule on the group home page. | |||||
| Specification | FPWD | LC | CR | PR | Rec |
|---|---|---|---|---|---|
| Content Security Policy |
August 2011 |
May 2012 |
July 2012 |
September 2012 |
October 2012 |
| Secure Cross-Domain Resource
Sharing |
(not applicable) | May 2012 | July 2012 | September 2012 | October 2012 |
| Secure Cross-Domain Framing |
November 2011 | August 2012 | October 2012 | December 2012 | January 2013 |
Dependencies and Liaisons
W3C Groups
- Web Applications Working Group
- This Working Group will develop its secure cross-site resource sharing deliverable as joint work with the Web Applications Working Group.
- HTML Working Group
- The HTML5 specification defines many of the security policies that apply in the current browser environment.
- Device API Working Group
- The Device API Working Group's deliverables include an API for requesting and managing user permissions to use device features.
Outside Groups
- IETF WebSec Working Group
- The IETF Web Security WG is chartered to provide a Web Security problem statement and standardize a limited number of selected specifications. This Working Group is expected to liaise and collaborate closely with the WebSec Working Group. Coordination is, in particular, expected with respect to the secure cross-domain framing deliverable proposed in this charter, and ongoing work to document the X-Frame-Options mechanism within the IETF.
Participation
To be successful, the Web Application Security Working Group is expected to have 10 active participants for its duration. Effective participation to Web Application Security Working Group is expected to consume one day per week for chairs and editors. The Web Application Security Working Group will allocate also the necessary resources for building Test Suites for each specification.
Communication
This group primarily conducts its work on the public mailing list public-webappsec@w3.org.
Information about the group (deliverables, participants, face-to-face meetings, teleconferences, etc.) is available from the Web Application Security Working Group home page.
Decision Policy
As explained in the Process Document (section 3.3), this group will seek to make decisions when there is consensus. When the Chair puts a question and observes dissent, after due consideration of different opinions, the Chair should record a decision (possibly after a formal vote) and any objections, and move on.
Patent Policy
This Working Group operates under the W3C Patent Policy (5 February 2004 Version). To promote the widest adoption of Web standards, W3C seeks to issue Recommendations that can be implemented, according to this policy, on a Royalty-Free basis.
For more information about disclosure obligations for this group, please see the W3C Patent Policy Implementation.
About this Charter
This charter for the Web Application Security Working Group has been created according to section 6.2 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
Brad Hill, Eric K. Rescorla, Thomas Roessler <tlr@w3.org>
Copyright © 2011 W3C ® (MIT , ERCIM , Keio), All Rights Reserved.
$Date: 2014/07/10 17:19:11 $