This page summarizes the relationships among specifications, whether they are finished standards or drafts. Below, each title links to the most recent version of a document.
W3C Recommendations have been reviewed by W3C Members, by software developers, and by other W3C groups and interested parties, and are endorsed by the Director as Web Standards. Learn more about the W3C Recommendation Track.
Group Notes are not standards and do not have the same level of W3C endorsement.
This document defines a mechanism to enable client-side cross-origin requests.
This document consists of use cases for the Web Cryptography API and the Key Discovery API, expressed as scenarios along with illustrative code snippets.
This specification defines the From-Origin response header - a way for resources to declare they are unavailable within an embedding context.
Below are draft documents: Candidate Recommendations, Last Call Drafts, other Working Drafts . Some of these may become Web Standards through the W3C Recommendation Track process. Others may be published as Group Notes or become obsolete specifications.
Content Security Policy is a mechanism web applications can use to mitigate the broad class of content injection vulnerabilities, such as cross-site scripting (XSS). Content Security Policy is a declarative policy that lets the authors (or server administrators) of a web application restrict from where the application can load resources.
This document defines a policy language used to declare a set of content restrictions for a web resource, and a mechanism for transmitting the policy from a server to a client where the policy is enforced.
This document defines directives for the Content Security Policy mechanism to declare a set of input protections for a web resource's user interface, defines a non-normative set of heuristics for Web user agents to implement these input protections, and a reporting mechanism for when they are triggered.
This specification describes how and why user agents disallow rendering and execution of content loaded over unencrypted or unauthenticated connections in the context of an encrypted and authenticated document.
This document defines a mechanism by which user agents may verify that a fetched resource has been delivered without unexpected manipulation.
This document specifies a runtime and security model for Web Applications. It describes how an application is defined through an application manifest, and how it can be installed, updated and packaged. It also specifies how such an application can be put into the background, be put back in the foreground or woken up. Finally, the document describes the security model for such applications. This includes the permission model and the different security rules that would apply.
The Uniform Messaging Policy (UMP) enables cross-site messaging that avoids Cross-Site-Request-Forgery and similar attacks that abuse HTTP cookies and other credentials.