Cloud Services and Standards for Web Applications: current state and roadmap

This document summarizes how technologies currently developed in W3C apply to the Cloud context. This is a subset of our generic HTML5Apps roadmap highlighting standard work that is relevant to EU R&D projects developing Cloud software, in particular at the PAAS and SAAS layers.

  1. Core Web Design and Development
  2. Media and Real-Time Communications
  3. Usability and Accessibility
  4. Device Interaction
  5. Network Integration
  6. Application Lifecyle
  7. Payment and Services
  8. Performance & Tuning
  9. Security & Privacy

Document structure

Features in this roadmap are organized around the application foundations for the Open Web Platform, a set of high-level components that application developers rely on to build their Web-based content and services.

The following application foundations are considered in this document: core web design and development, media and real-time communications, usability and accessibility, device interaction, application lifecycle, payment and services, performance & tuning, and security & privacy. In addition, it covers topics related to network integration.

Beyond the areas covered below, the following W3C areas are relevant for Cloud services:

Diagram showing the various components of the Web platform
The Web as an application development platform

In each category of features, a table summarizes for each feature:

W3C creates Web standards by progressing documents through its Recommendation track, with the following stages:

For groups that have adopted it, the 2014 update of the W3C Process simplifies a bit the progression by removing the Last Call stage — instead of a single global call for review addressed to the whole community, Working Groups are empowered with solicitting reviews from their various related communities as long as they can demonstrate sufficient wide review of the specification before requesting transition to Candidate Recommendation.

Prior to starting standardization, a Working Group needs to be chartered, based on input from W3C Members, often through the organization of a workshop, or after the reception of a W3C Member Submission.

W3C has set up Community Groups, a mechanism that allows anyone to do experimental work within the W3C infrastructure, under IPR rules that are compatible to transition the work to the W3C standardization process.

1. Core Web Design and Development

Overall, he Graphics and Layout layers are not very relevant for the Cloud programmers, they are part of the UI considerations. That being said, the Web provides a valuable portable layers for Cloud application UIs, allowing them to concentrate on the lack of standards at the PAAS/IAAS level.

However, IndexedDB and background synchronisation create a good combination needed for Cloud storage so it is something Cloud designers should track.

Some of this data need to be encrypted, the Web Cryptography API from the Web Cryptography Working Group exposes strong cryptography primitives to Web applications, and can be bound to pre-provisioned keys via the WebCrypto Key Discovery API.

Feature Specification Working Group Maturity Stability Latest editors draft Current implementations Developers doc Test suite
Cloud storageIndexed Database APIWeb ApplicationsRECStableFinishedWell deployed
Support for indexeddbSupported in Safari on iOS from version 88+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4.44.4+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
WebPlatform.org
W3DevCampus
Good coverage
Web Background SynchronizationWeb ApplicationsN/AEarly draftLast updated April 2015
Editing activity for Last updated April 2015 October 2014O 0 commits in October 2014 November 2014N 1 commits in November 2014 December 2014D 8 commits in December 2014 January 2015J 16 commits in January 2015 February 2015F 10 commits in February 2015 March 2015M 9 commits in March 2015 April 2015A 7 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
None
Support for background-syncNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
None
Encrypted storageWeb Cryptography APIWeb CryptographyCRStableLast updated November 2014
Editing activity for Last updated November 2014 October 2014O 32 commits in October 2014 November 2014N 15 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Well deployed
Support for cryptoSupported in Safari on iOS from version 88+ Supported in Internet Explorer on Windows Phone from version 1111+ Supported in Firefox mobile from version 1919+ Supported in Android browser from version 4444+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
Early start
WebCrypto Key DiscoveryWeb CryptographyWDEarly workLast updated May 2014
None
Support for cryptokeyNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
None

2. Media and Real-Time Communications

More and more, sharing/streaming media is a big use case for cloud technologies, as the cloud makes everything faster and appear closer on the net, large binary objects in particular.

The natural distribution of media on a given Web page, coming from different servers, in different authenticated streams, should lead to a Cloud friendly architecture but Cloud designers are not always at the table to raise their requirements.

HTML5 adds two tags that dramatically improve the integration of multimedia content on the Web: the <video> and <audio> tags. Respectively, these tags allow embedding video and audio content, and make it possible for Web developers to interact much more freely with that content than they would through plug-ins. They make multimedia content first-class citizens of the Web, the same way images have been for the past 20 years.

The playback content can be streamed, augmented and completed via Media Source Extensions that lets developers buffer and generate media content in JavaScript.

To cater for the needs of some content providers, a proposal to enable playback of protected content, Encrypted Media Extensions is an API that is under consideration in the HTML Working Group.

While the new HTML5 tags allow to play multimedia content, the HTML Media Capture defines a markup-based mechanism to access captured multimedia content using attached camera and microphones, a very common feature on mobile devices. The Web Real-Time Communications Working Group and the Device APIs Working Group are building together an API (getUserMedia) to directly manipulate streams from camera and microphones, as well as an API to record these streams into files, and another API to use access to cameras to take photos programatically. This makes it easy for Cloud-based media processing content to obtain content from end-user devices.

Beyond capturing and recording, two additional APIs add multimedia manipulation capabilities to the Web platform. We have already mentioned the Canvas 2D Context API: it enables modifying images, which in turn opens up the possibility of video editing.

In a similar vein, the Audio Working Group is working on an API that that makes it possible to modify audio content, as well as analyze, modify and synthesize sounds, the Web Audio API.

The Web Real-Time Communications Working Group is the host of specifications for a wider set of communication opportunities:

The combination of all these features marks the starting point of the Web as a comprehensive platform for multimedia, both for consuming and producing. The rising interest around bridging the Web and TV worlds (manifested through the W3C Web and TV Interest Group) should strengthen that trend in the coming months. Mobile devices are expected to take a growing role in many users TV experience, providing a “second screen” experience, where users can find more information on or interact with a TV program they're watching via their mobile devices.

Feature Specification Working Group Maturity Stability Latest editors draft Current implementations Developers doc Test suite
Video playbackvideo element in HTML5HTMLRECStableFinishedGood deployment
Support for videoSupported in Safari on iOS from version 3.23.2+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 2.32.3+ Supported in Opera mobile from version 1111+ Supported in Chrome for Android from version 4444+
WebPlatform.org
W3DevCampus
Well started
Audio playbackaudio element in HTML5HTMLRECStableFinishedGood deployment
Support for audioSupported in Safari on iOS from version 3.23.2+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 2.32.3+ Supported in Opera mobile from version 1111+ Supported in Chrome for Android from version 4444+
WebPlatform.org
W3DevCampus
Started
Generation of media contentMedia Source ExtensionsHTMLCRStableLast updated July 2015
Editing activity for Last updated July 2015 October 2014O 0 commits in October 2014 November 2014N 5 commits in November 2014 December 2014D 8 commits in December 2014 January 2015J 3 commits in January 2015 February 2015F 2 commits in February 2015 March 2015M 4 commits in March 2015 April 2015A 3 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 1 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Well deployed
Support for mseNot supported in Safari on iOSX Supported in Internet Explorer on Windows Phone from version 1111+ Not supported in Firefox mobileX Supported in Android browser from version 4.4.34.4.3+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
WebPlatform.orgWell started
Protected content playbackEncrypted Media ExtensionsHTMLWDEarly draftLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 0 commits in October 2014 November 2014N 24 commits in November 2014 December 2014D 21 commits in December 2014 January 2015J 17 commits in January 2015 February 2015F 2 commits in February 2015 March 2015M 23 commits in March 2015 April 2015A 7 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 27 commits in June 2015 July 2015J 19 commits in July 2015 August 2015A 4 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Limited
Support for emeNot supported in Safari on iOSX Supported in Internet Explorer on Windows Phone from version 1111+ Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Supported in Chrome for Android from version 34p34p+
None
Capturing audio/videoHTML Media CaptureDevice APIsCRStableLast updated October 2014
Editing activity for Last updated October 2014 October 2014O 2 commits in October 2014 November 2014N 0 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Growing deployment
Support for inputacceptSupported in Safari on iOS from version 6.06.0+ Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 99+ Supported in Android browser from version 3.03.0+ Not supported in Opera mobileX Supported in Chrome for Android from version 1818+
Good coverage
Media Capture and StreamsDevice APIs and
Web Real-Time Communications
LastCallStabilizingLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 15 commits in October 2014 November 2014N 120 commits in November 2014 December 2014D 21 commits in December 2014 January 2015J 25 commits in January 2015 February 2015F 33 commits in February 2015 March 2015M 26 commits in March 2015 April 2015A 15 commits in April 2015 May 2015M 10 commits in May 2015 June 2015J 41 commits in June 2015 July 2015J 28 commits in July 2015 August 2015A 13 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Growing
Support for getusermediaNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4444+ Supported in Opera mobile from version 1212+ Supported in Chrome for Android from version 4444+
started
MediaStream RecordingDevice APIs and
Web Real-Time Communications
WDEarly draftLast updated December 2014
Editing activity for Last updated December 2014 October 2014O 2 commits in October 2014 November 2014N 0 commits in November 2014 December 2014D 1 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Very limited
Support for recordingNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 2929+ Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
None
Mediastream Image CaptureDevice APIs and
Web Real-Time Communications
WDEarly draftLast updated January 2015
Editing activity for Last updated January 2015 October 2014O 0 commits in October 2014 November 2014N 2 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 1 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
None
Support for imagecaptureNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
None
Image & Video analysis, modificationHTML Canvas 2D ContextHTMLCRStableLast updated December 2014
Editing activity for Last updated December 2014 October 2014O 0 commits in October 2014 November 2014N 1 commits in November 2014 December 2014D 1 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Widely deployed
Support for canvasSupported in Safari on iOS from version 3.23.2+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 33+ Supported in Opera mobile from version 1010+ Supported in Chrome for Android from version 4444+
WebPlatform.org
W3DevCampus
Good coverage
Audio analysis, modificationWeb Audio APIAudioWDStarting to stabilizeLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 28 commits in October 2014 November 2014N 62 commits in November 2014 December 2014D 7 commits in December 2014 January 2015J 6 commits in January 2015 February 2015F 7 commits in February 2015 March 2015M 32 commits in March 2015 April 2015A 10 commits in April 2015 May 2015M 5 commits in May 2015 June 2015J 35 commits in June 2015 July 2015J 17 commits in July 2015 August 2015A 7 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Good deployment
Support for webaudioSupported in Safari on iOS from version 6.06.0+ Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4444+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
WebPlatform.orgStarted
P2P connections and audio/video streamsWebRTC 1.0: Real-time Communication Between BrowsersWeb Real-Time CommunicationsWDEarly draftLast updated June 2015
Editing activity for Last updated June 2015 October 2014O 18 commits in October 2014 November 2014N 13 commits in November 2014 December 2014D 29 commits in December 2014 January 2015J 25 commits in January 2015 February 2015F 10 commits in February 2015 March 2015M 18 commits in March 2015 April 2015A 43 commits in April 2015 May 2015M 27 commits in May 2015 June 2015J 3 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Growing
Support for p2pNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4444+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
WebPlatform.orgEarly start

3. Usability and Accessibility

UI considerations are not very relevant for the Cloud programmers, but the Web provides a valuable portable layer for cloud applications UIs.

4. Device interaction

A primary use case for Cloud technologies in the near future will be to handle data gathered from the myriad of sensors that get build and distributed in devices all over the planet.

Web technologies can increasingly be used to interact with these sensors.

The Geolocation API provides a common interface for locating the device, independently of the underlying technology (GPS, WIFI networks identification, triangulation in cellular networks, etc.).

Web applications can also now access orientation and acceleration data via the DeviceOrientation Event Specification.

A number of APIs for other sensors are under development: the Battery Status API, the Proximity Events API, the Ambient Light Events API or the proposed Ambient Humidity Events API. The Device APIs Working Group has started an effort to propose a unification pattern for these various sensors.

As already mentioned in the section on multimedia, there is ongoing work on APIs to open up access to camera and microphone streams.

A Web Bluetooth Community Group was started to develop a Bluetooth API for browsers with a particular goal of supporting Bluetooth Low Energy devices.

Feature Specification Working Group Maturity Stability Latest editors draft Current implementations Developers doc Test suite
GeolocationGeolocation API SpecificationGeolocationRECFinishedFinishedWidely deployed
Support for geolocationSupported in Safari on iOS from version 3.23.2+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 2.12.1+ Supported in Opera mobile from version 1111+ Supported in Chrome for Android from version 4444+
WebPlatform.org
W3DevCampus
Good coverage
Motion sensorsDeviceOrientation Event SpecificationGeolocationLastCallStabilizing, but with planned updatesLast updated August 2014
Well deployed
Support for accelerometerSupported in Safari on iOS from version 4.24.2+ Supported in Internet Explorer on Windows Phone from version 1111+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 33+ Supported in Opera mobile from version 1212+ Supported in Chrome for Android from version 4444+
WebPlatform.org
W3DevCampus
Started
Battery StatusBattery Status APIDevice APIsCRStableLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 0 commits in October 2014 November 2014N 1 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 2 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Growing
Support for batteryNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4444+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
Good coverage
Proximity sensorsProximity EventsDevice APIsWDLikely to evolve substantiallyLast updated September 2015
Editing activity for Last updated September 2015 October 2014O 0 commits in October 2014 November 2014N 0 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 5 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 1 commits in September 2015 2014 2015 Commits on ed. draft
Very limited
Support for proximityNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 4040+ Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
Started
Ambient Light sensorAmbient Light EventsDevice APIsWDLikely to evolve significantlyLast updated September 2015
Editing activity for Last updated September 2015 October 2014O 0 commits in October 2014 November 2014N 0 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 1 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 3 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 1 commits in September 2015 2014 2015 Commits on ed. draft
Very limited
Support for ambientlightNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 4040+ Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
Started
Humidity sensorAmbient Humidity EventsDevice APIsN/AUnofficial draftLast updated October 2013
None
Support for humidityNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
N/A
Generic SensorsGeneric Sensor APIDevice APIsedEarly draftLast updated June 2015
Editing activity for Last updated June 2015 October 2014O 0 commits in October 2014 November 2014N 0 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 5 commits in May 2015 June 2015J 21 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
N/A
N/A
Camera & Microphone streamsMedia Capture and StreamsDevice APIs and
Web Real-Time Communications
LastCallStabilizingLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 15 commits in October 2014 November 2014N 120 commits in November 2014 December 2014D 21 commits in December 2014 January 2015J 25 commits in January 2015 February 2015F 33 commits in February 2015 March 2015M 26 commits in March 2015 April 2015A 15 commits in April 2015 May 2015M 10 commits in May 2015 June 2015J 41 commits in June 2015 July 2015J 28 commits in July 2015 August 2015A 13 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Growing
Support for getusermediaNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4444+ Supported in Opera mobile from version 1212+ Supported in Chrome for Android from version 4444+
started
BluetoothWeb BluetoothWeb Bluetooth Community GroupNot on standards trackEarly draftLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 4 commits in October 2014 November 2014N 0 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 13 commits in January 2015 February 2015F 12 commits in February 2015 March 2015M 16 commits in March 2015 April 2015A 18 commits in April 2015 May 2015M 21 commits in May 2015 June 2015J 5 commits in June 2015 July 2015J 17 commits in July 2015 August 2015A 6 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Experimental
Support for bluetoothNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
N/A

5. Network Integration

Interacting with the network is key to any Cloud-oriented application or service.

The Web platform is growing a number of APIs that facilitate establishing network connectivity in different contexts.

XMLHttpRequest (the basis for Ajax development) is a widely deployed API to load content from Web servers using the HTTP and HTTPs protocol: the W3C specification (formerly known as XMLHttpRequest Level 2) was meant to document the existing deployed API (with the ability to make requests on servers in a different domain, programmatic feedback on the progress of the network operations, and more efficient handling of binary content), but that work is now likely to be done only in the WHATWG. The WHATWG fetch API also provides a more powerful Promise-based alternative.

The Beacon API aims at letting developers queue unsupervised HTTP requests, leaving it to the browser to execute them when appropriate, opening the door for better network optimizations.

Early work on a Web Background Synchronization API would provide a robust Service Worker-based mechanism to enable Web applications to download and upload content in the background, even in the absence of a running browser.

By default, browsers do not allow to make request across different domains (or more specifically, across different origins, a combination of the protocol, domain and port) from a single Web page; this rule protects the user from having a Web site abusing their credentials and stealing their data on another Web site. Sites can opt-out of that rule by making use of the Cross-Origin Resource Sharing mechanism, opening up much wider cooperation across Web applications and services.

XMLHttpRequest is useful for client-initiated network requests, but mobile devices with their limited network capabilities and the cost that network requests induce on their battery (and sometimes on their users bill) can often make better use of server-initiated requests. The Server-Sent Events API allows triggering DOM events based on push notifications (via HTTP and other protocols.)

Early work on a Push API would allow Web applications to receive server-sent messages whether or not the said Web app is active in a browser window. An IETF Working Group charter is under discussion to standardize the protocol aspects of the mechanism.

The WebSocket API, built on top of the IETF WebSocket protocol, offers a bidirectional, more flexible, and less resource intensive network connectivity than XMLHttpRequest.

The work on Web Real-Time Communications will also provide direct peer-to-peer data connections between browsers with real-time characteristics, opening the way to collaborative multi-devices Web applications.

Of course, an important part of using network connectivity relies on being able to determine if such connectivity exists, and the type of network available. The HTML5 onLine DOM flag (and its associated change event, ononline) signals when network connectivity is available to the Web environment.

The network-information API, which was supposed to address discovery of the network characteristics, has been abandoned for the time being due to lack of clear supporting use cases.

The Resource Timing API offers to measure precisely the impact of the network on the time needed to load various resources, offering another approach to adapt a Web app to its network environment.

Feature Specification Working Group Maturity Stability Latest editors draft Current implementations Developers doc Test suite
HTTP(s) network APIXMLHttpRequest Level 1Web ApplicationsWDLikely to be abandoned in favor of WHATWG specificationLast updated May 2014
Well deployed
Support for xhr2Supported in Safari on iOS from version 88+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4.4.34.4.3+ Supported in Opera mobile from version 1212+ Supported in Chrome for Android from version 4444+
Good coverage
Web Background SynchronizationWeb ApplicationsN/AEarly draftLast updated April 2015
Editing activity for Last updated April 2015 October 2014O 0 commits in October 2014 November 2014N 1 commits in November 2014 December 2014D 8 commits in December 2014 January 2015J 16 commits in January 2015 February 2015F 10 commits in February 2015 March 2015M 9 commits in March 2015 April 2015A 7 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
None
Support for background-syncNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
None
Cross-domain requestsCross-Origin Resource SharingWeb Applications and
Web Application Security
RECStableWell-deployed
Support for corsSupported in Safari on iOS from version 6.06.0+ Supported in Internet Explorer on Windows Phone from version 1111+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4.44.4+ Supported in Opera mobile from version 1212+ Supported in Chrome for Android from version 4444+
WebPlatform.orgWell started
Server-pushed requestsServer-Sent EventsWeb ApplicationsRECStableFinishedGetting well-deployed
Support for eventsourceSupported in Safari on iOS from version 4.04.0+ Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4.44.4+ Supported in Opera mobile from version 11.111.1+ Supported in Chrome for Android from version 4444+
WebPlatform.orgGood coverage
Push APIWeb ApplicationsWDEarly draft, now with Service WorkersLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 12 commits in October 2014 November 2014N 7 commits in November 2014 December 2014D 4 commits in December 2014 January 2015J 11 commits in January 2015 February 2015F 5 commits in February 2015 March 2015M 3 commits in March 2015 April 2015A 21 commits in April 2015 May 2015M 4 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 3 commits in July 2015 August 2015A 12 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Limited
Support for pushNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Supported in Chrome for Android from version 4242+
N/A
Bidirectional connectionsThe WebSocket APIWeb ApplicationsCRStableLast updated June 2014
Good deployment
Support for websocketsSupported in Safari on iOS from version 6.06.0+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4.44.4+ Supported in Opera mobile from version 12.112.1+ Supported in Chrome for Android from version 4444+
WebPlatform.org
W3DevCampus
Good coverage
P2P data connectionsWebRTC 1.0: Real-time Communication Between BrowsersWeb Real-Time CommunicationsWDEarly draftLast updated June 2015
Editing activity for Last updated June 2015 October 2014O 18 commits in October 2014 November 2014N 13 commits in November 2014 December 2014D 29 commits in December 2014 January 2015J 25 commits in January 2015 February 2015F 10 commits in February 2015 March 2015M 18 commits in March 2015 April 2015A 43 commits in April 2015 May 2015M 27 commits in May 2015 June 2015J 3 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Growing
Support for p2pNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4444+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
WebPlatform.orgEarly start
on-line stateonLine state in HTML5HTMLRECStableFinishedLimited
Support for onlineNot supported in Safari on iOSX Supported in Internet Explorer on Windows Phone from version 88+ Not supported in Firefox mobileX Supported in Android browser from version 2.22.2+ Not supported in Opera mobileX Supported in Chrome for Android from version 1818+
Well started
Network characteristicsThe Network Information APIDevice APIsRetiredAbandoned for now, but might be restartedLast updated November 2014
Editing activity for Last updated November 2014 October 2014O 0 commits in October 2014 November 2014N 5 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Limited
Support for networkapiNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 1010+ Supported in Android browser from version 2.22.2+ Not supported in Opera mobileX Supported in Chrome for Android from version 3838+
None
Resource TimingWeb PerformanceWDStableLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 1 commits in October 2014 November 2014N 4 commits in November 2014 December 2014D 2 commits in December 2014 January 2015J 8 commits in January 2015 February 2015F 5 commits in February 2015 March 2015M 6 commits in March 2015 April 2015A 2 commits in April 2015 May 2015M 1 commits in May 2015 June 2015J 2 commits in June 2015 July 2015J 2 commits in July 2015 August 2015A 1 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Growing
Support for res-timingNot supported in Safari on iOSX Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4.44.4+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
Well started

6. Application Lifecycle

While Cloud services are potentially always in operation, their usage by end-users depend on their proper integration in the clients that they interact with, whose lifecycles depend on many parameters: battery, network connectivity, visibility on the device, etc.

These notions are part of the overall application lifecycle: how applications get installed, shown to the user in applications list, started, stopped, woken up from remote notifications, synced up when the device goes on-line.

These various capabilities are brought the Web platform through different mechanisms.

Although the notion of installed Web applications is still not well-defined, there are several components to the notion of installation that are under development.

Packaging on the Web describes a Web-adapted format to make Web content available in a singe file for ease of download, sharing or archiving.

Whether packaged or not, users rely on a variety of metadata (name, icons) to identify the apps they want to use among their list of regularly used applications. The JSON-based manifest format lets developers group all these metadata in a single JSON file.

HTML5’s ApplicationCache enables access to Web applications off-line through the definition of a manifest of files that the browser is expected to keep in its cache.

While relatively well deployed, the current approach has shown some strong limitations in terms of how much developers can control what gets cached when. The Web Applications Working Group has thus been developing a more powerful approach, ServiceWorker.

Not only does Service Worker enables Web applications to work seamlessly off-line or in poor network conditions, it also creates a model for Web applications to operate when they have not been opened in a browser window, or even if the browser itself is not running.

That ability opens the door for Web applications that run in the background and can react to remotely triggered events.

The Task Scheduler API makes it possible to trigger a task at a specified time via the Web app service worker. While the System Applications Working Group in which this API was developed has closed, the ServiceWorker-based approach taken in the specifications may make it an interesting starting point for further work in this space.

Similarly, the new geofencing API enables to wake up a Web app when a device enters a specified geographical area.

The Push API enables Web applications to subscribe to remote notifications that, upon reception, wake them up. Native applications have long enjoyed the benefits of greater user engagement that these notifications bring, and soon Web applications will share that ability.

Likewise, the Web Background Synchronization specification will enable Web applications to keep their user data up to date seamlessly, by running network operations in the background.

The Page Visibility specification lets developers detect when their application is in the foreground, and thus adapt their operations and resource consumption accordingly.

Feature Specification Working Group Maturity Stability Latest editors draft Current implementations Developers doc Test suite
PackagingPackaging on the WebTAG and
Web Applications
WDEarly draftLast updated February 2015
Editing activity for Last updated February 2015 October 2014O 0 commits in October 2014 November 2014N 0 commits in November 2014 December 2014D 1 commits in December 2014 January 2015J 3 commits in January 2015 February 2015F 2 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
None
Support for packagingNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
N/A
Manifest for a web applicationWeb ApplicationsWDEarly draftLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 28 commits in October 2014 November 2014N 15 commits in November 2014 December 2014D 13 commits in December 2014 January 2015J 18 commits in January 2015 February 2015F 6 commits in February 2015 March 2015M 16 commits in March 2015 April 2015A 27 commits in April 2015 May 2015M 11 commits in May 2015 June 2015J 14 commits in June 2015 July 2015J 10 commits in July 2015 August 2015A 2 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Limited
Support for manifestjsonNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Supported in Firefox mobile from version 2727+ Not supported in Android browserX Not supported in Opera mobileX Supported in Chrome for Android from version 3939+
N/A
Offline Web AppsApplicationCache in HTML5HTMLRECStable (but Service Workers will be the preferred approach when available)FinishedWell deployed
Support for manifestSupported in Safari on iOS from version 3.23.2+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 2.12.1+ Supported in Opera mobile from version 1111+ Supported in Chrome for Android from version 4444+
WebPlatform.org
W3DevCampus
None
Service WorkersWeb ApplicationsWDEarly draftLast updated September 2015
Editing activity for Last updated September 2015 October 2014O 45 commits in October 2014 November 2014N 35 commits in November 2014 December 2014D 15 commits in December 2014 January 2015J 26 commits in January 2015 February 2015F 24 commits in February 2015 March 2015M 19 commits in March 2015 April 2015A 20 commits in April 2015 May 2015M 11 commits in May 2015 June 2015J 11 commits in June 2015 July 2015J 12 commits in July 2015 August 2015A 18 commits in August 2015 September 2015S 3 commits in September 2015 2014 2015 Commits on ed. draft
Limited
Support for serviceworkerNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Supported in Android browser from version 4444+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
Well started
Scheduled tasksTask Scheduler API SpecificationSystem ApplicationsRetiredEarly draftLast updated October 2014
Editing activity for Last updated October 2014 October 2014O 7 commits in October 2014 November 2014N 0 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
None
Support for task-schedulerNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
None
GeofencingGeofencing APIGeolocationWDJust startedLast updated June 2015
Editing activity for Last updated June 2015 October 2014O 0 commits in October 2014 November 2014N 0 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 2 commits in March 2015 April 2015A 6 commits in April 2015 May 2015M 2 commits in May 2015 June 2015J 5 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
None
Support for geofencingNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
None
Remote NotificationsPush APIWeb ApplicationsWDEarly draft, now with Service WorkersLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 12 commits in October 2014 November 2014N 7 commits in November 2014 December 2014D 4 commits in December 2014 January 2015J 11 commits in January 2015 February 2015F 5 commits in February 2015 March 2015M 3 commits in March 2015 April 2015A 21 commits in April 2015 May 2015M 4 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 3 commits in July 2015 August 2015A 12 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Limited
Support for pushNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Supported in Chrome for Android from version 4242+
N/A
Background SyncWeb Background SynchronizationWeb ApplicationsN/AEarly draftLast updated April 2015
Editing activity for Last updated April 2015 October 2014O 0 commits in October 2014 November 2014N 1 commits in November 2014 December 2014D 8 commits in December 2014 January 2015J 16 commits in January 2015 February 2015F 10 commits in February 2015 March 2015M 9 commits in March 2015 April 2015A 7 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
None
Support for background-syncNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
None
Foreground detectionPage VisibilityWeb PerformanceRECFinishedWell deployed
Support for visibilitychangeSupported in Safari on iOS from version 7.07.0+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4.44.4+ Supported in Opera mobile from version 12.112.1+ Supported in Chrome for Android from version 4444+
Good coverage

7. Payment and Services

Our new W3C activity on payment is already looking at Cloud integration, eg. differences between eWallets that reside in your phone or in the cloud, or more generally any payment card details managed either on a secure element or on the cloud. Of course, the things people buy online, the actual data or resource may be outsourced to a cloud service provider and so communication and protocols must be developed in this context.

Meanwhile, HTML5.1 provides specific help for autocomplete of credit card details, making it easier to pay via credit cards once these details have been entered once.

Feature Specification Working Group Maturity Stability Latest editors draft Current implementations Developers doc Test suite
Integrated paymentCredit card details autocomplete in HTML 5.1HTMLWDEarly draftundefined
Very limited
Support for autocomplete-ccSupported in Safari on iOS unknown? Supported in Internet Explorer on Windows Phone unknown? Supported in Firefox mobile unknown? Supported in Android browser unknown? Supported in Opera mobile unknown? Supported in Chrome for Android from version 3131+
None

8. Performance & Tuning

The work started by the Web Performance Working Group on Navigation Timing, Resource Timing, Performance Timeline and User Timing, gives tools to Web developers for optimizing their Web applications. The work on the Frame Timing API aims at providing detailed information on the frame-per-second obtained when an application is running on the user device.

The Resource Hints and Preload specifications let developers optimize the download of resources by enabling to delay either the download or the execution of the downloaded resource.

The proposed work on Efficient Script Yielding offers the opportunity to Web developers to use more efficiently asynchronous programming, but has so far gained very limited traction.

The requestIdleCallback API similarly proposes a way for scheduling an operation at the next opportunity when the app is not processing another operation.

Beyond optimization of resources, the perceived reactivity of an application is also a critical aspect of the mobile user experience. The thread-like mechanism made possible via Web Workers allows keeping the user interface responsive by offloading the most resource-intensive operations into a background process.

Feature Specification Working Group Maturity Stability Latest editors draft Current implementations Developers doc Test suite
Timing hooksNavigation TimingWeb PerformanceRECFinishedWell deployed
Support for nav-timingSupported in Safari on iOS from version 88+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 44+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
Good coverage
Resource TimingWeb PerformanceWDStableLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 1 commits in October 2014 November 2014N 4 commits in November 2014 December 2014D 2 commits in December 2014 January 2015J 8 commits in January 2015 February 2015F 5 commits in February 2015 March 2015M 6 commits in March 2015 April 2015A 2 commits in April 2015 May 2015M 1 commits in May 2015 June 2015J 2 commits in June 2015 July 2015J 2 commits in July 2015 August 2015A 1 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Growing
Support for res-timingNot supported in Safari on iOSX Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4.44.4+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
Well started
Performance TimelineWeb PerformanceRECFinishedLimited
Support for perf-timelineSupported in Safari on iOS unknown? Supported in Internet Explorer on Windows Phone from version 1111+ Supported in Firefox mobile unknown? Supported in Android browser unknown? Supported in Opera mobile unknown? Supported in Chrome for Android from version 3030+
Started
User TimingWeb PerformanceRECFinishedGrowing
Support for user-timingNot supported in Safari on iOSX Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4.44.4+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
Well started
Frame TimingWeb PerformanceWDEarly draftLast updated June 2015
Editing activity for Last updated June 2015 October 2014O 5 commits in October 2014 November 2014N 4 commits in November 2014 December 2014D 13 commits in December 2014 January 2015J 3 commits in January 2015 February 2015F 6 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 1 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 4 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
None
Support for frame-timingNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
None
Network prioritizationResource HintsWeb PerformanceWDEarly draftLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 2 commits in October 2014 November 2014N 2 commits in November 2014 December 2014D 4 commits in December 2014 January 2015J 1 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 1 commits in March 2015 April 2015A 19 commits in April 2015 May 2015M 1 commits in May 2015 June 2015J 2 commits in June 2015 July 2015J 2 commits in July 2015 August 2015A 1 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Growing deployment
Support for res-hintsNot supported in Safari on iOSX Supported in Internet Explorer on Windows Phone from version 1111+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 44+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
None
PreloadWeb PerformanceWDEarly draftLast updated September 2015
Editing activity for Last updated September 2015 October 2014O 2 commits in October 2014 November 2014N 2 commits in November 2014 December 2014D 3 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 7 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 3 commits in June 2015 July 2015J 6 commits in July 2015 August 2015A 4 commits in August 2015 September 2015S 1 commits in September 2015 2014 2015 Commits on ed. draft
None?
None
Priority handlingEfficient Script YieldingWeb PerformanceedEarly draftLast updated April 2014
Very limited
Support for setimmediateNot supported in Safari on iOSX Supported in Internet Explorer on Windows Phone from version 1010+ Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
None
ThreadingWeb WorkersWeb ApplicationsCRStableLast updated May 2014
Well deployed
Support for webworkersSupported in Safari on iOS from version 5.05.0+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 2.12.1+ Supported in Opera mobile from version 1111+ Supported in Chrome for Android from version 4444+
WebPlatform.org
W3DevCampus
Good coverage

9. Security & Privacy

Clearly a big intersection with the Cloud, and all Cloud programmers should follow this work if they want to write secure cloud web apps, concerned with identity, encryption, etc.

The first line of defense for users, and the unit of isolation for Web apps is the same-origin policy that roughly limits what a Web application can access to content and data hosted on the same origin, i.e. the combination of URL scheme, domain name and port.

For legacy reasons, this policy is not as stringent on some parts of the Web platform, exposing users to greater attack surface via cross-site scripting or cross-site request forgery. To enable Web application authors to reduce the attack surface beyond what legacy requires, the Content Security Policy (level 2) offers hooks that severely limits damages that an attacker could hope to achieve.

To further strengthen the integrity of their applications, Web developers can make use of the proposed Subresource integrity mechanism, that makes it possible to block man-in-the-middle attacks or compromised third-parties providers.

Entry Point Regulation provides another layer of strengthening and offers to filter the type of HTTP requests that can be made from external sites, reducing risks of cross-site script and cross-site request forgery.

In applications that aggregate content from multiple (possibly untrusted) sources, the HTML5 iframe sandbox makes it possible to restrict what kind of interactions third-party embedded content can make use of.

As described earlier, the Web Cryptography API provides the necessary tools to encrypt data for storage and transmission from within Web applications, with access pre-provisioned keys via the WebCrypto Key Discovery API.

There are discussions to bring the capabilities of hardware-security modules to the Web, to enable access to high-security operations for encryption, payment, identity proof, etc., embodied in a draft charter for a Hardware Security Working Group.

For users that wish to indicate their preferences not to be tracked across Web applications and sites, the Tracking Preference Expression (also known as Do No Track) enables browsers to communicate explicitly their wish to content providers, and to determine whether a given content provider asserts fulfilling that wish.

To facilitate the authentication of users to on-line services, the Web Application Security Working Group is proposing a credential management API that lets developers interact more seamless with user-agent-managed credentials.

Feature Specification Working Group Maturity Stability Latest editors draft Current implementations Developers doc Test suite
Strengthened securityContent Security Policy Level 2Web Application SecurityCRStableLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 0 commits in October 2014 November 2014N 0 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 32 commits in January 2015 February 2015F 14 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 1 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 2 commits in July 2015 August 2015A 6 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Well-deployed
Support for cspSupported in Safari on iOS from version 6.06.0+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 4.44.4+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
WebPlatform.orgWell started
Subresource IntegrityWeb Application SecurityWDJust startedLast updated August 2015
Editing activity for Last updated August 2015 October 2014O 1 commits in October 2014 November 2014N 20 commits in November 2014 December 2014D 6 commits in December 2014 January 2015J 39 commits in January 2015 February 2015F 7 commits in February 2015 March 2015M 23 commits in March 2015 April 2015A 43 commits in April 2015 May 2015M 45 commits in May 2015 June 2015J 21 commits in June 2015 July 2015J 18 commits in July 2015 August 2015A 11 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Limited
Support for subres-integrityNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Supported in Chrome for Android from version 4545+
None
Entry Point RegulationWeb Application SecurityWDJust startedLast updated June 2015
Editing activity for Last updated June 2015 October 2014O 0 commits in October 2014 November 2014N 0 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 14 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 3 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
None
Support for eprSupported in Safari on iOS unknown? Supported in Internet Explorer on Windows Phone unknown? Supported in Firefox mobile unknown? Supported in Android browser unknown? Supported in Opera mobile unknown? Supported in Chrome for Android unknown?
None
Sandboxed iframe in HTML5HTMLRECStableFinishedWidely deployed
Support for iframe-sandboxSupported in Safari on iOS from version 4.24.2+ Supported in Internet Explorer on Windows Phone from version 1010+ Supported in Firefox mobile from version 4040+ Supported in Android browser from version 2.22.2+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
None
EncryptionWeb Cryptography APIWeb CryptographyCRStableLast updated November 2014
Editing activity for Last updated November 2014 October 2014O 32 commits in October 2014 November 2014N 15 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 0 commits in January 2015 February 2015F 0 commits in February 2015 March 2015M 0 commits in March 2015 April 2015A 0 commits in April 2015 May 2015M 0 commits in May 2015 June 2015J 0 commits in June 2015 July 2015J 0 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 0 commits in September 2015 2014 2015 Commits on ed. draft
Well deployed
Support for cryptoSupported in Safari on iOS from version 88+ Supported in Internet Explorer on Windows Phone from version 1111+ Supported in Firefox mobile from version 1919+ Supported in Android browser from version 4444+ Supported in Opera mobile from version 3030+ Supported in Chrome for Android from version 4444+
Early start
WebCrypto Key DiscoveryWeb CryptographyWDEarly workLast updated May 2014
None
Support for cryptokeyNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
None
Tracking protectionTracking Preference Expression (DNT)Tracking ProtectionCRStabilizingundefined
Good deployment
Support for dntSupported in Safari on iOS from version 55+ Supported in Internet Explorer on Windows Phone from version 99+ Supported in Firefox mobile from version 66+ Supported in Android browser unknown? Supported in Opera mobile unknown? Supported in Chrome for Android from version 2323+
None
Identity managementCredential Management Level 1Web Application SecurityWDEarly draftLast updated September 2015
Editing activity for Last updated September 2015 October 2014O 0 commits in October 2014 November 2014N 2 commits in November 2014 December 2014D 0 commits in December 2014 January 2015J 8 commits in January 2015 February 2015F 2 commits in February 2015 March 2015M 9 commits in March 2015 April 2015A 28 commits in April 2015 May 2015M 8 commits in May 2015 June 2015J 3 commits in June 2015 July 2015J 1 commits in July 2015 August 2015A 0 commits in August 2015 September 2015S 10 commits in September 2015 2014 2015 Commits on ed. draft
None
Support for credential-managementNot supported in Safari on iOSX Not supported in Internet Explorer on Windows PhoneX Not supported in Firefox mobileX Not supported in Android browserX Not supported in Opera mobileX Not supported in Chrome for AndroidX
N/A

Acknowledgments

Thanks to Art Barstow, Anssi Kostiainen, Jo Rabin, J. Manrique López, Mounir Lamouri, Marcos Caceres, François Daoust and Ronan Cremin for their contributions to this document.

This document is produced through the HTML5Apps project, funded by the European Union through the Seventh Framework Programme (FP7/2013-2015) under grant agreement n°611327 - HTML5 Apps.