DRAFT Web Application Security Working Group Charter
This document is a strawman that has not undergone formal review. Please send informal comment to public-web-security@w3.org (public archive).
The mission of the Web Application Security Working Group, part of the Rich Web Client Activity, is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-site communication.
| End date | 31 October 2011 |
|---|---|
| Confidentiality | Proceedings are public |
| Initial Chairs | CHAIR INFO |
| Initial Team Contacts (FTE %: 10) |
TEAM CONTACT INFO |
| Usual Meeting Schedule | Teleconferences: Weekly Face-to-face: Once Annually, at the W3C Technical Plenary |
Scope
Modern Web browsers embed numerous security policies which are documented in a number of specifications, including HTML5 and XMLHttpRequest. These policies have proven to be inadequate for certain use cases.
- The same-origin policy as applied to XMLHttpRequest does not enable secure resource sharing across origins. This work is currently addressed by the Cross Origin Resource Sharing and Uniform Messaging Policy specifications under development in the Web Applications Working Group.
- Other security policies implemented in user agents leave open attack surfaces for various attacks, including cross-site request forgery and cross-site scripting vulnerabilities.
The Web Application Security Working Group will develop one or more recommendation(s) to enable secure cross-origin resource sharing, as joint work with the Web Applications Working Group, based on the current Cross Origin Resource Sharing and Uniform Messaging Policy specifications. The Working Group will also develop a light-weight content security policy mechanism to permit sites to control individual control points within the HTML5 security policy.
Success Criteria
To advance to Proposed Recommendation, each specification is expected to have two independent implementations of each feature described in the specification.
Deliverables
- Content Security Policy
- A policy language intended to enable web designers or server administrators to adjust the HTML5 security policy, and specify how content interacts on their web sites. The goal of this specification is to help mitigate and detect types of attacks such as XSS and data injection. It is not intended to serve as a main line of defense, but rather one of the many layers of security that can be employed to help secure a web site. Addressing Cross Site Request Forgery is not a primary focus of this work.
- Secure Cross-Domain Resource Sharing
- Mechanisms for selective and secure cross-domain scripting. For more
details, see the WebApps WG Comparison
of CORS and UMP. Currently, there are two different specifications
for defining proposed mechanisms:
- Cross-Origin Resource Sharing: extends the design of the Same Origin Policy.
- Uniform Messaging Policy: describes a mechanism upon which a variety of access-control mechanisms can be implemented.
Milestones
Specification transition estimates and other milestones
| Note: The group will document significant changes from this initial schedule on the group home page. | |||||
| Specification | FPWD | LC | CR | PR | Rec |
|---|---|---|---|---|---|
| FooML | Month YYYY | Month YYYY | Month YYYY | Month YYYY | Month YYYY |
| BarML | Month YYYY | Month YYYY | Month YYYY | Month YYYY | Month YYYY |
Timeline View Summary
Put here a timeline view of all deliverables. Note: In a version based on RDF, we can generate this...
Dependencies and Liaisons
W3C Groups
- Web Applications Working Group
- This Working Group will develop its secure cross-site resource sharing deliverable as joint work with the Web Applications Working Group.
- HTML Working Group
- The HTML5 specification defines many of the security policies that apply in the current browser environment.
- DAP
- ??
Outside Groups
- IETF
- The IETF is currently considering taking up related work.
Furthermore, Web Application Security Working Group expects to follow these W3C Recommendations:
Participation
To be successful, the Web Application Security Working Group is expected to have 10 active participants for its duration. Effective participation to Web Application Security Working Group is expected to consume one day per week for chairs and editors. The Web Application Security Working Group will allocate also the necessary resources for building Test Suites for each specification.
Communication
This group primarily conducts its work on the public mailing list LIST NAME.
Information about the group (deliverables, participants, face-to-face meetings, teleconferences, etc.) is available from the Web Application Security Working Group home page.
Decision Policy
As explained in the Process Document (section 3.3), this group will seek to make decisions when there is consensus. When the Chair puts a question and observes dissent, after due consideration of different opinions, the Chair should record a decision (possibly after a formal vote) and any objections, and move on.
Patent Policy
This Working Group operates under the W3C Patent Policy (5 February 2004 Version). To promote the widest adoption of Web standards, W3C seeks to issue Recommendations that can be implemented, according to this policy, on a Royalty-Free basis.
For more information about disclosure obligations for this group, please see the W3C Patent Policy Implementation.
About this Charter
This charter for the Web Application Security Working Group has been created according to section 6.2 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.
@@For a revised charter (that is, not simply extended), per process doc 6.2.3, please include a list of the most important changes here, or link to a diff-marked HTML version; see the html diff tool@@
Thomas Roessler <tlr@w3.org>
Copyright© 2010 W3C ® (MIT , ERCIM , Keio), All Rights Reserved.
$Date: 2010/07/21 15:55:55 $