Web Application Security Working Group


As stated in its charter, the mission of the Web Application Security Working Group is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-site communication.

Past and Upcoming Events
Weekly teleconference: every other Wednesday, (8:00-9:00 PST)

Next regular call: 10-September-2014

2014-07-03 LCWD of CSP Level 2 . Call for Exclusions concludes 01-Sep-2014. Last Call for comments concludes 13-August-2014.
2014-01-16 LCWD of User Interface Security: . Call for Exclusions concludes 17-May-2014. Last Call for comments concludes 18-June-2014.
2014-01-16 FPWD of Subresource Integrity: . Call for Exclusions concludes 15-August-2014.
2014-01-16 Cross-Origin Resource Sharing (CORS) is now a W3C Recommendation: http://www.w3.org/TR/CORS
2013-10-24 Rechartered: http://www.w3.org/2013/07/webappsec-charter.html
Also on this page → Publication Status | WG Resources | Charter and History | Participants
API Specifications and Non-Normative Documents
Name of Spec

(Editor's Draft)

Last Publication Type Remarks Testing Plans
Content Security Policy 15-November-2012 CR Editors: Brandon Sterne and Adam Barth Test Coordinator: Mike West
Content Security Policy Level 2 03-Jul-2014 LCWD Editors: Mike West, Dan Veditz and Adam Barth Test Coordinator: Mike West
User Interface Security Directives for Content Security Policy 18-March-2014 LCWD Editors: Giorgio Maone, David Lin-Shung Huang, Brad Hill, Tobias Gondrom Last Call ends 18-June-2014
Cross-Origin Resource Sharing 16-January-2014 REC Editor: Anne van Kesteren Test Coordinator: Gopal Raghavan
Subresource Integrity 18-March-2014 FPWD Editors: Frederik Braun, Devdatta Akhawe, Joel Weinberger, Mike West Test Coordinator:
Uniform Messaging Policy, Level One 15-June-2010 Input document (from WebApps WG) Editors: Tyler Close and Mark Miller Not on recommendation track at this time.
Security on the Web 4-Feb-2011 Input document summary by J. Kemp for the TAG - this document is not a TAG Finding

Working Group Resources

Work Mode

This general practices of this WG are are documented on our Work Mode Page.

Meeting Minutes

DRAFT Teleconference Minutes, 2014-08-27: http://www.w3.org/2011/webappsec/draft-minutes/2014-08-27-webappsec-minutes.html

Teleconference Minutes, 2014-08-13: http://www.w3.org/2011/webappsec/minutes/2014-08-13-webappsec-minutes.html

Teleconference Minutes, 2014-07-16: http://www.w3.org/2011/webappsec/minutes/2014-07-16-webappsec-minutes.html

Teleconference Minutes, 2014-07-02: http://www.w3.org/2011/webappsec/minutes/2014-07-02-webappsec-minutes.html

DRAFT Teleconference Minutes, 2014-06-18: http://www.w3.org/2011/webappsec/draft-minutes/2014-06-18-webappsec-minutes.html

Teleconference Minutes, 2014-05-21: http://www.w3.org/2011/webappsec/minutes/2014-05-21-webappsec-minutes.html

Teleconference Minutes, 2014-05-07: http://www.w3.org/2011/webappsec/minutes/2014-05-07-webappsec-minutes.html

Teleconference Minutes, 2014-04-23: http://www.w3.org/2011/webappsec/minutes/2014-04-23-webappsec-minutes.html

Teleconference Minutes, 2014-04-09: http://www.w3.org/2011/webappsec/minutes/2014-04-09-webappsec-minutes.html

Teleconference Minutes, 2014-03-12: http://www.w3.org/2011/webappsec/minutes/2014-03-12-webappsec-minutes.html

Teleconference Minutes, 2014-02-26: http://www.w3.org/2011/webappsec/minutes/2014-02-26-webappsec-minutes.html

Teleconference Minutes, 2014-02-12: http://www.w3.org/2011/webappsec/minutes/2014-02-12-webappsec-minutes.html

Teleconference Minutes, 2014-01-29: http://www.w3.org/2011/webappsec/minutes/2014-01-29-webappsec-minutes.html

Teleconference Minutes, 2014-01-14: http://www.w3.org/2011/webappsec/minutes/2014-01-14-webappsec-minutes.html

Teleconference Minutes, 2013-12-17: http://www.w3.org/2011/webappsec/minutes/2013-12-17-webappsec-minutes.html

Teleconference Minutes, 2013-12-03: http://www.w3.org/2011/webappsec/minutes/2013-12-03-webappsec-minutes.html

Teleconference Minutes, 2013-11-19: http://www.w3.org/2011/webappsec/minutes/2013-11-19-webappsec-minutes.html

Teleconference Minutes, 2013-10-22: http://www.w3.org/2011/webappsec/minutes/2013-10-22-webappsec-minutes.html

Teleconference Minutes, 2013-10-08: http://www.w3.org/2011/webappsec/minutes/2013-10-08-webappsec-minutes.html

Teleconference Minutes, 2013-09-24: http://www.w3.org/2011/webappsec/minutes/2013-09-24-webappsec-minutes.html

Teleconference Minutes, 2013-09-24: http://www.w3.org/2011/webappsec/minutes/2013-09-24-webappsec-minutes.html

Teleconference Minutes, 2013-09-24: http://www.w3.org/2011/webappsec/minutes/2013-09-24-webappsec-minutes.html

Teleconference Minutes, 2013-09-24: http://www.w3.org/2011/webappsec/minutes/2013-09-24-webappsec-minutes.html

Teleconference Minutes, 2013-09-24: http://www.w3.org/2011/webappsec/minutes/2013-09-24-webappsec-minutes.html

Teleconference, 10-Sep-2013: http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-10-Sep-2013.html

Teleconference, 27-Aug-2013: http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-27-Aug-2013.html

Teleconference, 13-Aug-2013: http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-13-Aug-2013.html

Teleconference, 15-Jul-2013: http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-15-Jul-2013.html

Teleconference, 02-Jul-2013: http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-02-Jul-2013.html

Teleconference, 04-Jun-2013: http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-04-Jun-2013.html

Teleconference, 07-May-2013: http://www.w3.org/2011/webappsec/minutes/webappsec-minutes-07-May-2013.html

Actions/Issues tracking

See the Working Group's tracker instance (Tracker's documentation).

The WG's Bugzilla instace is at: http://www.w3.org/Bugs/Public/describecomponents.cgi?product=WebAppsSec

Telecon Resources

Weekly teleconference: every other Tuesday, 22:00-23:00 UTC(14:00-15:00 PST)

The number for all calls on W3C Zakim bridge is +1.617.761.6200 then enter conference passcode 92794 ('WASWG'). If you can't get into the bridge, dial *0 to speak to the operator — they can manually connect you. Zakim allows participants to mute themselves by pressing 61# ("M" for mute, then "1" for on) and unmute themselves with 60#.

It is possible to participate in meetings by telephone alone but participants' interaction is substantially improved by also joining the #webappsec irc channel or using the IRC Web interface (see also the comprehensive help for IRC). The group makes use of the following agents: zakim, rrsagent, and tracker.

Mailing list

Technical discussion takes place on the Working Group discussion list, public-webappsec@w3.org (archive). This is a public mailing list; to subscribe to the public-webappsec mailing list, please check the subscription procedure.

Search the archive help


Proposals, experiments, etc. related to this WG's deliverables can be discussed on the W3C Web Security Wiki at http://www.w3.org/Security/wiki/Main_Page

The WG will begin work on Content Security Policy 1.1 concurrently with moving 1.0 on the Recommendation track. Suggestions for features in 1.1 should go to the wiki at: http://www.w3.org/Security/wiki/Content_Security_Policy. Experimental implementations to accompany such suggestions are highly encouraged. A brainstorm list of proposed directives is also available at https://wiki.mozilla.org/Security/CSP/Strawman

Editors' Resources

General/Process Resources

Patent Disclosures

W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent.

Charter and History

The WebAppSec Working Group operates under a charter approved on 24-Oct-2013: http://www.w3.org/2013/07/webappsec-charter.html.

Working Group Participants

See: DBWG and IPP