Roadmap of Web Applications on Mobile >

Security and Privacy

September 2020

Mobile devices follow their users everywhere, and hold some of their most private or confidential data (contacts, pictures, calendar, etc.) As a result, it is critical for users to be able to rely on their phones to keep that data safe from attackers.

W3C specifications are reviewed for their security and privacy impact as part of their progress through the Recommendation track. The Self-Review Questionnaire: Security and Privacy and the Mitigating Browser Fingerprinting in Web Specifications documents provide guidance to help groups evaluate the impact of the technologies they develop and explore threat mitigation strategies when necessary.

Security and privacy technologies listed below have a particular resonance in a mobile context. Please check the Security roadmap document for a more comprehensive overview of security on the Web.

Well-deployed technologies

Strengthened security

The first line of defense for users, and the unit of isolation for Web apps is the same-origin policy that roughly limits what a Web application can access to content and data hosted on the same origin, i.e. the combination of URL scheme, domain name and port.

For legacy reasons, this policy is not as stringent on some parts of the Web platform, exposing users to greater attack surface via cross-site scripting or cross-site request forgery. To enable Web application authors to reduce the attack surface beyond what legacy requires, the Content Security Policy offers hooks that severely limits damages that an attacker could hope to achieve. An application delivered over a secure channel with CSP enabled can assure that users receive it as it was intended to be executed.

To further strengthen the integrity of their applications, Web developers can make use of the proposed Subresource integrity mechanism that makes it possible to block man-in-the-middle attacks or compromised third-parties providers.

The Mixed Content specification helps to migrate the Web toward being secure by default, by setting clear rules as to when content that is not served over HTTPs can or cannot be loaded from an HTTPs page.

In applications that aggregate content from multiple (possibly untrusted) sources, the HTML5 iframe sandbox attribute makes it possible to restrict the kind of interactions third-party embedded content can make use of.

Encryption

The Web Cryptography API provides the necessary tools to encrypt data for storage and transmission from within Web applications, with access to pre-provisioned keys via the WebCrypto Key Discovery API.

Authentication

Building on the passwordless and multi-factor authentication work of the FIDO Alliance, Web Authentication standardizes strong authentication for the Web, using a combination of "something you have" (e.g. an authentication key) coupled with "something you know" (e.g. a PIN code) and/or "something you are" (e.g. a fingerprint), so that hacking a password database is no longer sufficient to hijack user accounts.

Feature	Specification / Group	Current implementations Select browsers… Chrome Microsoft Edge Firefox Safari / WebKit Baidu Browser Opera QQ Browser Samsung Internet UC Browser
Strengthened security	Content Security Policy Level 2 Web Application Security Working Group	Shipped: Shipped in Chrome (desktop, mobile). Source: Chrome Platform Status.Shipped in Microsoft Edge (desktop). Source: Chrome Platform Status.Shipped in Firefox (desktop, mobile). Source: Can I use.Shipped in Safari (desktop, mobile). Source: Can I use.Shipped in Baidu Browser (mobile). Source: Can I use.Shipped in Opera (desktop, mobile). Source: Can I use.Shipped in QQ Browser (mobile). Source: Can I use.Shipped in Samsung Internet (mobile). Source: Can I use.
	Subresource Integrity Web Application Security Working Group	Shipped: Shipped in Chrome (desktop, mobile). Source: Chrome Platform Status.Shipped in Microsoft Edge (desktop). Source: Chrome Platform Status.Shipped in Firefox (desktop, mobile). Source: Can I use.Shipped in Safari (desktop, mobile). Source: Can I use.Shipped in Baidu Browser (mobile). Source: Can I use.Shipped in Opera (desktop). Source: Can I use.Shipped in QQ Browser (mobile). Source: Can I use.Shipped in Samsung Internet (mobile). Source: Can I use.Shipped in UC Browser (mobile). Source: Can I use.
	Mixed Content Web Application Security Working Group	Shipped: Shipped in Chrome (desktop, mobile). Source: Chrome Platform Status.Shipped in Microsoft Edge (desktop). Source: Chrome Platform Status.Shipped in Firefox (desktop). Source: Chrome Platform Status.
	sandbox iframe attribute in HTML Standard WHATWG	Shipped: Shipped in Chrome (desktop, mobile). Source: Chrome Platform Status.Shipped in Microsoft Edge (desktop). Source: Chrome Platform Status.Shipped in Firefox (desktop, mobile). Source: Can I use.Shipped in Safari (desktop, mobile). Source: Can I use.Shipped in Baidu Browser (mobile). Source: Can I use.Shipped in Opera (desktop, mobile). Source: Can I use.Shipped in QQ Browser (mobile). Source: Can I use.Shipped in Samsung Internet (mobile). Source: Can I use.Shipped in UC Browser (mobile). Source: Can I use.
Encryption	Web Cryptography API Web Cryptography Working Group	Shipped: Shipped in Chrome (desktop, mobile). Source: Chrome Platform Status.Shipped in Microsoft Edge (desktop). Source: Chrome Platform Status.Shipped in Firefox (desktop, mobile). Source: Can I use.Shipped in Safari (desktop, mobile). Source: Can I use.Shipped in Baidu Browser (mobile). Source: Can I use.Shipped in Opera (desktop, mobile). Source: Can I use.Shipped in QQ Browser (mobile). Source: Can I use.Shipped in Samsung Internet (mobile). Source: Can I use.Shipped in UC Browser (mobile). Source: Can I use.
Encryption	WebCrypto Key Discovery Web Cryptography Working Group
Authentication	Web Authentication:An API for accessing Public Key Credentials Level 2 Web Authentication Working Group	Shipped: Shipped in Chrome (desktop, mobile). Source: Chrome Platform Status.Shipped in Microsoft Edge (desktop). Source: Chrome Platform Status.Shipped in Firefox (desktop). Source: Can I use.Shipped in Safari (desktop, mobile). Source: Can I use.Shipped in Opera (desktop). Source: Can I use.

Technologies in progress

Strengthened security

Cross-site scripting (XSS) is considered to be one of the major attack vectors on the Web. Trusted Types allows applications to lock down DOM-based XSS injection sinks (e.g. Element.innerHTML, or Location.href setters) to only accept non-spoofable, typed values in place of strings.

Permissions

Many sensitive APIs, e.g. those that expose mobile device sensors, are gated by a request for user consent; while these requests give control to the user, they can be sometimes hard to integrate in the overall user experience without visibility on which permission has been granted or denied. The Permissions API aims at fixing this.

Identity Management

To facilitate the authentication of users to on-line services, the Web Application Security Working Group is proposing a Credential Management API that lets developers interact more seamless with user-agent-managed credentials.

Secure contexts

Secure Contexts recommends that powerful features of the Web platform, including application code with access to sensitive or private data, be delivered only in secure contexts, over authenticated and confidential channels that guarantee data integrity. As the draft indicates, "delivering code securely cannot ensure that an application will always meet a user's security and privacy requirements, but it is a necessary precondition."

HTTPs adoption

Web sites with a lot of existing content set up to use resources loaded over HTTP can find the task of migrating that content to HTTPs daunting. The Upgrade Insecure Requests specification helps that migration by instructing the browser to load these resources over HTTPs.

Referrer Policy

Referrer Policy helps web developers control the amount of information present in the Referer HTTP header or even whether the header is sent at all.

Sandboxing

The User Interface Security and the Visibility API document proposes to eliminate clickjacking by assuring element visibility at the graphics rendering level. For instance, a developer deploying it can assure that users clicking their site's "pay" button aren't being tricked into transferring their bank balances to an imposter instead.

Permissions policy

As more powerful features keep being exposed to applications, site authors need more fine-grained control over features that are enabled/disabled in their application as well as in own or third-party content that their application may embed (in iframes), to reinforce security. The Permissions Policy defines mechanisms (the Permissions-Policy HTTP header and the allow attribute on an iframe element) to selectively enable and disable use of various browser features and APIs. Developers may also use the policy to assert a promise to a client or an embedder about the use — or lack of thereof — of certain features and APIs.

Feature	Specification / Group	Current implementations Select browsers… Chrome Microsoft Edge Firefox Safari / WebKit Baidu Browser Opera QQ Browser Samsung Internet UC Browser
Strengthened security	Trusted Types	Shipped: Shipped in Chrome (desktop, mobile). Source: Chrome Platform Status.Shipped in Microsoft Edge (desktop). Source: Chrome Platform Status.Shipped in Opera (desktop). Source: Can I use. Polyfills trusted-types
Permissions	Permissions Web Application Security Working Group	Shipped: Shipped in Chrome (desktop, mobile). Source: Chrome Platform Status.Shipped in Microsoft Edge (desktop). Source: Chrome Platform Status.Shipped in Firefox (desktop, mobile). Source: Can I use.Shipped in Opera (desktop). Source: Can I use.Shipped in Samsung Internet (mobile). Source: Can I use.
Identity Management	Credential Management Level 1 Web Application Security Working Group	Shipped: Shipped in Chrome (desktop, mobile). Source: Chrome Platform Status.Shipped in Microsoft Edge (desktop). Source: Chrome Platform Status.Shipped in Firefox (mobile). Source: MDN Browser Compatibility Data.Shipped in Opera (desktop). Source: Can I use.Shipped in Samsung Internet (mobile). Source: Can I use.Shipped in UC Browser (mobile). Source: Can I use. In development: In development in Safari (desktop). Source: Chrome Platform Status.
Secure contexts	Secure Contexts Web Application Security Working Group	In development: In development in Chrome (desktop, mobile). Source: Chrome Platform Status.In development in Microsoft Edge (desktop). Source: Chrome Platform Status. Under consideration: Under consideration in Firefox (desktop). Source: Chrome Platform Status.
HTTPs adoption	Upgrade Insecure Requests Web Application Security Working Group	Shipped: Shipped in Chrome (desktop, mobile). Source: Chrome Platform Status.Shipped in Microsoft Edge (desktop). Source: Chrome Platform Status.Shipped in Firefox (desktop, mobile). Source: Can I use.Shipped in Safari (desktop, mobile). Source: Can I use.Shipped in Baidu Browser (mobile). Source: Can I use.Shipped in Opera (desktop). Source: Can I use.Shipped in QQ Browser (mobile). Source: Can I use.Shipped in Samsung Internet (mobile). Source: Can I use.
Referrer Policy	Referrer Policy Web Application Security Working Group	Shipped: Shipped in Chrome (desktop, mobile). Source: Chrome Platform Status.Shipped in Microsoft Edge (desktop). Source: Chrome Platform Status.Shipped in Firefox (desktop, mobile). Source: Can I use.Shipped in Safari (desktop, mobile). Source: Can I use.Shipped in Baidu Browser (mobile). Source: Can I use.Shipped in Opera (desktop). Source: Can I use.Shipped in QQ Browser (mobile). Source: Can I use.Shipped in Samsung Internet (mobile). Source: Can I use.Shipped in UC Browser (mobile). Source: Can I use.
Sandboxing	User Interface Security and the Visibility API Web Application Security Working Group
Permissions policy	Permissions Policy Web Application Security Working Group	In development: In development in Chrome (desktop, mobile). Source: Chrome Platform Status.In development in Microsoft Edge (desktop). Source: Chrome Platform Status. Under consideration: Under consideration in Firefox (desktop). Source: Chrome Platform Status.

Exploratory work

Permissions

Different APIs use different mechanisms to grant permission to use or access an underlying powerful feature. To ease design of permission-related code, the Requesting permissions and Relinquishing permissions proposals extend the Permissions API to provide a uniform function for requesting and revoking permission to use powerful features.

Strengthened privacy

Main browser vendors progressively introduce more stringent rules for technologies that may be abused to track users without their consent. One example is third-party cookies which are being phased out from main browsers. Several proposals are being discussed to replace these technologies and otherwise extend the Web platform with solutions that give users control on whether sites may track them:

isLoggedIn for websites to inform the web browser of the user's login state and allow browsers to restrict features such as long term storage and cookies to scenarios where the user is logged in.
Trust Token API to propagate trust across sites, using the Privacy Pass protocol as an underlying primitive.
First-Party Sets to declare a collection of related domains as being in a first-party set.
Private Click Measurement to attribute a conversion, such as a purchase or a sign-up, to a previous ad click in a privacy-preserving way.
JS Isolation via Origin Labels and Membranes to allow an application to include remote code without giving that code access to all of the capabilities of the including origin, including document, navigator and other related Web API, and DOM defined interfaces.
The Storage Access API to give a way for content inside <iframe> elements to request and be granted access to their client-side storage, provided user agrees to it, so that embedded content which relies on having access to client-side storage can work in browsers that would otherwise prevent this behavior to preserve the user's privacy.
TURTLEDOVE to put the browser, not the advertiser, in control of the information about what the advertiser thinks a person is interested in.
SPARROW, which builds on top of TURTLEDOVE, and gives advertisers more control over the user experience, whilst keeping privacy guarantees.

Feature	Specification / Group	Implementation intents Select browsers… Chrome Microsoft Edge Firefox Safari / WebKit Baidu Browser Opera QQ Browser Samsung Internet UC Browser
Permissions	Requesting Permissions Web Platform Incubator Community Group	Under consideration: Under consideration in Firefox (desktop). Source: Chrome Platform Status.
Permissions	Relinquishing Permissions Web Platform Incubator Community Group	Under consideration: Under consideration in Firefox (desktop). Source: Chrome Platform Status.
Strengthened privacy	IsLoggedIn Privacy Community Group
	Trust Token API Web Platform Incubator Community Group	In development: In development in Chrome (desktop, mobile). Source: Chrome Platform Status.In development in Microsoft Edge (desktop). Source: Chrome Platform Status. Under consideration: Under consideration in Safari (desktop). Source: Chrome Platform Status.
	First-Party Sets Privacy Community Group	Under consideration: Under consideration in Chrome (desktop, mobile). Source: Chrome Platform Status.Under consideration in Microsoft Edge (desktop). Source: Chrome Platform Status.Under consideration in Safari (desktop). Source: Chrome Platform Status.
	Private Click Measurement Privacy Community Group
	JS Isolation via Origin Labels and Membranes Privacy Community Group
	The Storage Access API Privacy Community Group	Shipped: Shipped in Firefox (desktop). Source: Chrome Platform Status.Shipped in Safari (desktop, mobile). Source: Chrome Platform Status. Experimental: Experimental in Firefox (mobile). Feature is behind a flag. Source: MDN Browser Compatibility Data. In development: In development in Chrome (desktop, mobile). Source: Chrome Platform Status.In development in Microsoft Edge (desktop). Source: Chrome Platform Status.
	TURTLEDOVE Web Platform Incubator Community Group
	SPARROW Web Platform Incubator Community Group

Discontinued features

HTTP request filtering: The Entry Point Regulation specification provided another layer of strengthening security. It defined a mechanism to filter the type of HTTP requests that can be made from external sites, reducing risks of cross-site script and cross-site request forgery. Work on this specification has been discontinued for the time being.
Tracking preference expression: For users that wish to indicate their preferences not to be tracked across Web applications and sites, the Tracking Preference Expression (also known as Do No Track) enabled browsers to communicate explicitly their wish to content providers, and for servers to communicate their own tracking behavior, request consent and store user-granted exceptions. Not all content providers honor users' expressed preferences though, and lack of deployment of these extensions (as defined) led the Tracking Protection Working Group to stop work on the specification.
Access to hardware security services: Hardware Based Secure Services aimed to improve the levels of assurance to which users and application providers are able to protect their online accounts and communications, by making hardware security services available to the Web. The creation of a working group in that space was proposed but the idea was dropped for lack of implementation support.

See anything missing?

If you know of use cases that cannot be achieved today with Web technologies, please let us know!

To that end, you can start a new topic in the W3C’s discourse forum or raise an issue on the GitHub repository of this document.

GitHub Discourse