PROPOSED Web Application Security Working Group Charter

The mission of the Web Application Security Working Group is to develop mechanisms and best practices which improve the security of Web Applications.

Join the Web Application Security Working Group.

This proposed charter is available on GitHub. Feel free to raise issues.

Start date	TBD
End date	31 July 2023
Chairs	Dan Veditz (Mozilla), Mike West (Google)
Team Contacts	Wendy Seltzer (5% FTE), Samuel Weiler (20% FTE), Mike Smith (10% FTE)
Meeting Schedule	Teleconferences: Monthly or as needed. Face-to-face: we will meet during the W3C's annual Technical Plenary week; additional face-to-face meetings may be scheduled by consent of the participants, usually no more than 3 per year.

Scope

Modern web applications are composed of many parts and technologies, creating a complex tapestry of resource and data flows between origins. This complexity, as well as the historically coarse-grained nature of the security boundaries and principals defined for such applications, makes web applications very difficult to secure. At the same time, securing these applications is ever more critical, as the web becomes more and more critical to users' lives.

This group focuses on the client side of the problem, designing mechanisms user agents can provide to web developers which mitigate the risk of common web attacks, and reduce the surface area that applications expose to attackers. Areas of scope for this working group include:

Vulnerability Mitigation

Sufficiently complex applications involve handling input from untrusted sources in ways that can lead to unexpected code execution, data manipulation, or exfiltration. This Working Group will design mechanisms which reduce the scope, exploitability, and impact of common vulnerabilities and vulnerability classes in web applications (e.g. cross-site scripting, clickjacking, and so on).

Attack Surface Reduction

The Working Group will design mechanisms which prevent certain categories of threat by reducing the privilege of a given context. This effort will result in tools developers can opt-into which:

Allow applications to restrict or forbid potentially dangerous features which they do not intend to use
Govern information and content flows into and out of an application
Allow applications to isolate themselves from other origins
Reduce the privilege of potentially untrusted content and allow it to be interacted with more safely
Ensure that application content modification may be detected and prevented
Replace or augment error-prone APIs in the browser with safer alternatives (e.g. sanitization, strict contextual autoescaping, validation and encoding requirements, and so on)
Enforce requirements on content which loads in a given context (e.g. transport security, embedder/embedee constraints, CORS, etc.)

To the extent possible, these restrictions may also be imposed by default to uniformly reduce risk at scale, or may be positioned as prerequisites to some capability or set of capabilities applications may wish to exercise.

Manageability

Given the ad-hoc nature in which many important security features of the Web have evolved, providing uniformly secure experiences to users is difficult for developers. The Working Group will document and create uniform experiences for several undefined areas of major utility, including:

Providing hinting and direct support for credential managers, whether integrated into the user-agent or 3rd-party, to assist users in managing the complexities of secure passwords
Application awareness of features which may require explicit user permission to enable.

The Web Security Model

The WG may be called on to advise other WGs or the TAG on the fundamental security model of the Web Platform. In doing so, the WG may produce Recommendations for addressing legacy issues with the model (e.g. deprecations and removals), as well as improvements to the baseline it sets (e.g. mitigating cross-origin data leaks or side-channel attacks).

WebCrypto

The WG may adopt well-supported proposals from incubation for maintenance of the Web Cryptography API.

In addition to developing Recommendation Track documents in support of these goals, the Web Application Security Working Group may provide review of specifications from other Working Groups, in particular as these specifications touch on chartered deliverables of this group (in particular CSP), or the Web security model, and may also develop non-normative documents in support of Web security, such as developer and user guides for its normative specifications.

Deliverables

Draft state, below, indicates the state of the deliverable at the time of the charter approval.

Current document status is available on the group publication status page.

The Working Group intends to publish the Mixed Content specification as a Recommendation before the end of 2021. The group will advance its other documents to Candidate Recommendation (with Snapshots) and, when they are sufficiently mature, to Recommendation. As noted below, some documents (Permissions API, Permissions Policy, and the Credential Management API) have particular milestones for being published as Candidate Recommendations.

Normative Specifications

The Working Group will deliver the following W3C normative specifications:

Fetch Metadata Request Headers

Defines a set of Fetch metadata request headers that aim to provide servers with enough information to make a priori decisions about whether or not to service a request based on the way it was made, and the context in which it will be used.

Draft state: Working Draft

Expected completion: will be incorporated into the WHATWG Fetch spec

Exclusion Draft: 27 June 2019

Other Charter: 2019 charter

A Well-Known URL for Changing Passwords

A well-known URL that sites can use to make their change password forms discoverable by tools. This simple affordance provides a way for software to help the user find the way to change their password.

Draft state: Editor's Draft

Trusted Types

An API that allows applications to lock down powerful APIs to only accept non-spoofable, typed values in place of strings to prevent vulnerabilities caused by using these APIs with attacker-controlled inputs.

Draft state: Editor's Draft

Content Security Policy Level 3

A policy language intended to enable web designers or server administrators to declare a security policy for a web resource. The goal of this specification is to reduce attack surface by specifying overall rules for what content may or may not do, thus preventing violation of security assumptions by attackers who are able to partially manipulate that content. Content Security Policy (CSP) Level 3 succeeds CSP2, which is now a Recommendation.

Draft state: Working Draft

Exclusion Draft: 26 January 2016

Other Charter: 2015 charter

Content Security Policy: Embedded Enforcement

A mechanism by which a web page can embed a nested browsing context if and only if it agrees to enforce a particular set of restrictions upon itself.

Draft state: Working Draft

Exclusion Draft: 15 December 2015

Other Charter: 2015 charter

Mixed Content

Guidance for user agents dealing with resources loaded over insecure channels in a secure web application. Use cases includes standard behaviors for user agents to follow when encountering insecure resource loads in a secure context.

Draft state: Candidate Recommendation

Expected completion: Q3 2021

Exclusion Draft: 2 August 2016

Other Charter: 2015 charter

Upgrade Insecure Requests

A mechanism to assist sites migrating from HTTP to HTTPS by allowing them to assert to a user agent that they intend a site to load only secure resources, and that insecure URLs ought to be treated as though they had been replaced with secure URLs.

Draft state: Candidate Recommendation

Exclusion Draft: 8 October 2015

Other Charter: 2015 charter

Secure Contexts

A definition for "secure contexts" allowing user agent implementers and specification authors to enable certain features only when certain minimum standards of authentication and confidentiality are met.

Draft state: Candidate Recommendation

Exclusion Draft: 15 September 2016

Other Charter: 2015 charter

Clear Site Data

An imperative mechanism which allows web developers to instruct a user agent to clear a site’s locally stored data related to a host.

Draft state: Working Draft

Exclusion Draft: 4 August 2015

Other Charter: 2015 charter

Referrer Policy

A header and meta tag allowing resource authors to specify a policy for the values sent as part of the HTTP Referer (sic) header. Use cases include making this policy more restrictive to protect applications which include security capability tokens in the URL, or allowing more permissive sharing of referrer information from secure to insecure origins to remove barriers which today prevent applications from moving to secure origins.

Draft state: Candidate Recommendation

Exclusion Draft: 26 January 2017

Other Charter: 2015 charter

Credential Management API

A standardized API to address use cases related to assisted management of user credentials, including traditional username/password pairs, username/federated identity provider pairs. The API should allow for explicit and interoperable imperative mechanism for use and lifecycle management of these common credential types.

Draft state: Working Draft

Expected publication as a Candidate Recommendation: No later than Q2 2022

Exclusion Draft: 30 April 2015

Other Charter: 2015 charter

Subresource Integrity Level 2

A successor to the Subresource Integrity Recommendation that:

improves the ability to deploy and manage integrity taggging of assets for complex applications, including but not limited to mechanisms such as policy, manifests and public key signatures
explores the possibility of verifying entire packaged web applications units with a goal of providing end-user assurance about the identity and integrity of the code they are interacting with

Draft state: Editor's Draft

Suborigins

Mechanism to allow applications to place themselves into namespaces within a traditional scheme/host/port RFC 6454 Origin label to enable easier development of modular applications with privilege separation.

Draft state: Unofficial Editor's Draft

Origin Policy

A delivery mechanism for a number of policies which are to be applied to an entire origin. It complements header-based delivery mechanisms for existing policies (Content Security Policy, Referrer Policy, etc). to provide security policy statements that apply to an entire origin.

Draft state: Adopted from WICG

Permissions API

An API to allow web applications to be aware of the status of a given permission, to know whether it is granted, denied, or if the user will be asked whether the permission should be granted.

Draft state: Working Draft

Expected publication as a Candidate Recommendation: No later than Q2 2022

Exclusion Draft: 7 April 2015

Other Charter: 2015 charter

Permissions Policy

A mechanism that allows developers to selectively enable and disable use of various browser features and APIs. Formerly known as Feature Policy.

Draft state: Adopted from WICG

Expected publication as a Candidate Recommendation: No later than Q2 2022

Other Deliverables

Post-Spectre Web Development

A description of Spectre-type attacks as well as mitigations, targeted at web developers.

Draft state: Working Draft

Other non-normative documents may be created such as:

Use case and requirement documents;
Test suite and implementation report for the specification;
Primer or Best Practice documents to support web developers when designing applications.

Success Criteria

In order to advance to Candidate Recommendation and to add features after reaching Candidate Recommendation, each feature is expected to be supported by at least two implementations, which may be judged by factors including existing implementations, expressions of interest, and lack of opposition.

In order to advance to Proposed Recommendation, each normative specification is expected to have at least two independent implementations of every feature defined in the specification.

Each specification should contain separate sections detailing all known security and privacy implications for implementers, Web authors, and end users.

There should be testing plans for each specification, starting from the earliest drafts.

Each specification should contain a section on accessibility that describes the benefits and impacts, including ways specification features can be used to address them, and recommendations for maximising accessibility in implementations.

Coordination

For all specifications, this Working Group will seek horizontal review for accessibility, internationalization, performance, privacy, and security with the relevant Working and Interest Groups, and with the TAG. Invitation for review must be issued during each major standards-track document transition, including FPWD. The Working Group is encouraged to engage collaboratively with the horizontal review groups throughout development of each specification. The Working Group is advised to seek a review at least 3 months before first entering CR and is encouraged to proactively notify the horizontal review groups when major changes occur in a specification following a review.

Additional technical coordination with the following Groups will be made, per the W3C Process Document:

W3C Groups

Web Authentication Working Group: The WG will liaise with the Web Authentication WG on Credential Management.
Devices and Sensors Working Group: The WG may work with the Devices and Sensors WG on the security of their client-side APIs.

External Organizations

Web Hypertext Application Technology Working Group (WHATWG): Specifications such as CSP provide inputs into the algorithms defined by, e.g., the Fetch specification, and portions of CSP and Mixed Content may be defined in terms of Fetch. WebAppSec will work with WHATWG Fetch to ensure that CSP's normative dependencies on Fetch satisfy the W3C normative references policy.

Participation

To be successful, this Working Group is expected to have 10 or more active participants for its duration, including representatives from the key implementors of this specification, and active Editors and Test Leads for each specification. The Chairs, specification Editors, and Test Leads are expected to contribute one working day per week towards the Working Group. There is no minimum requirement for other Participants.

The group encourages questions, comments and issues on its public mailing lists and document repositories, as described in Communication.

The group also welcomes non-Members to contribute technical submissions for consideration upon their agreement to the terms of the W3C Patent Policy.

Participants in the group are required (by the W3C Process) to follow the W3C Code of Ethics and Professional Conduct.

Communication

Technical discussions for this Working Group are conducted in public: the meeting minutes from teleconference and face-to-face meetings will be archived for public review, and technical discussions and issue tracking will be conducted in a manner that can be both read and written to by the general public. Working Drafts and Editor's Drafts of specifications will be developed in public repositories and may permit direct public contribution requests. The meetings themselves are not open to public participation, however.

Information about the group (deliverables, participants, face-to-face meetings, teleconferences, etc.) is available from the Web Application Security Working Group home page.

This group conducts general discussion on the public mailing list public-webappsec@w3.org (archive).

Discussion on issues related to specific deliverables is primarily conducted in GitHub issues. The WG's main GitHub repository is at https://github.com/w3c/webappsec, which links to individual repositories for each deliverable. The public is invited to review, discuss and contribute to this work.

Decision Policy

This group will seek to make decisions through consensus and due process, per the W3C Process Document (section 3.3). Typically, an editor or other participant makes an initial proposal, which is then refined in discussion with members of the group and other reviewers, and consensus emerges with little formal voting being required.

However, if a decision is necessary for timely progress and consensus is not achieved after careful consideration of the range of views presented, the Chairs may call for a group vote and record a decision along with any objections.

To afford asynchronous decisions and organizational deliberation, any resolution (including publication decisions) taken in a face-to-face meeting or teleconference will be considered provisional. A call for consensus (CfC) will be issued for all resolutions (for example, via email, GitHub issue or web-based survey), with a response period from 7 to 10 days, depending on the chair's evaluation of the group consensus on the issue. If no objections are raised by the end of the response period, the resolution will be considered to have consensus as a resolution of the Working Group.

All decisions made by the group should be considered resolved unless and until new information becomes available or unless reopened at the discretion of the Chairs or the Director.

This charter is written in accordance with the W3C Process Document (Section 3.4, Votes) and includes no voting procedures beyond what the Process Document requires.

Patent Policy

This Working Group operates under the W3C Patent Policy (Version of 15 September 2020). To promote the widest adoption of Web standards, W3C seeks to issue Web specifications that can be implemented, according to this policy, on a Royalty-Free basis. For more information about disclosure obligations for this group, please see the W3C Patent Policy Implementation.

Licensing

This Working Group will use the W3C Software and Document license for all its deliverables.

About this Charter

This charter has been created according to section 5.2 of the Process Document. In the event of a conflict between this document or the provisions of any charter and the W3C Process, the W3C Process shall take precedence.

Charter History

The following table lists details of all changes from the initial charter, per the W3C Process Document (section 5.2.3):

Charter Period	Start Date	End Date	Changes
Initial Charter	7 September 2011	31 March 2013	Contains Content Security Policy (CSP), Secure Cross-Domain Resource Sharing, Secure Cross-Domain Framing.
Rechartered	24 October 2013	30 September 2014	Added CSP 1.1, Secure Mixed Content, Lightweight Isolated / Safe Content. Secure Cross-Domain Resource Sharing becomes CORS. Secure Cross-Domain Framing becomes User Interface Security Directives for Content Security Policy
Charter Extension	9 February 2015	31 March 2015	none
Rechartered	18 March 2015	31 December 2016	Added CSP2, Content Security Policy Pinning, Upgrade Insecure Requests, Privileged Contexts, Subresource Integrity, Referrer Policy, Credential Management API, Suborigin Namespaces, Confinement with Origin Web Labels, Entry Point Regulation for Web Applications, Permissions API. Dropped CORS, Lightweight Isolated / Safe Content. Added WHATWG liaison for Fetch.
Charter Extension	22 December 2016	31 March 2017	none
Rechartered	27 March 2017	31 December 2018	Added CSP3, Content Security Policy: Embedded Enforcement, User Interface Security and the Visibility API, Clear Site Data, Subresource Integrity Level 2, Suborigins, Site-Wide Policy Dropped Content Security Policy Pinning, User Interface Security Directives for Content Security Policy and Entry Point Regulation for Web Applications. Privileged Contexts becomes Secure Contexts.
Charter Extension	22 December 2018	31 March 2019	none
Rechartered	31 March 2019	31 March 2021	Added Feature Policy Dropped User Interface Security and the Visibility API, Confinement with Origin Web Labels Origin-Wide Policy becomes Site-Wide Policy
Charter Extension	31 March 2021	30 June 2021	none
Rechartered	[dd monthname yyyy]	31 July 2023	Added Trusted Types, Change Password URL, and Fetch Metadata. Moved most specs to snapshot (evergreen) publication. Updated scope text, reflecting a changing world. Allow WG to do WebCrypto maintenance. Updated charter consistent with modern templates. Added Mike Smith as an additional team contact.