W3C Publishes Report for the Secure the Web Forward Workshop

W3C is pleased to announce a report from the W3C Workshop Secure the Web Forward, held online in September 2023 in coordination with OpenSSF, OWASP and OpenJS.

This report contains a brief summary, collects highlights from the live sessions, links to the presentation videos, and details next steps.

The workshop was organized to review the state of technologies (existing, in development, or proposed), guidelines, tools, and documentation available to developers to secure applications deployed on the web, and coordinate relevant activities. About 30 people attended the live sessions to discuss the 9 selected position papers along 3 different themes: supply chain security (including Software Bills of Materials, also known as SBOMs), JavaScript security, and developer awareness. Participants acknowledged the growing complexity of web applications and of security related web technologies (e.g., CORS, CSP), which together makes it challenging for developers to secure applications. The main outcomes are that:

• The use of SBOMs, which some regulations may require, could help developers keep track of security vulnerabilities.
• A verification mechanism, such as the Source Code Transparency proposal, would allow browsers to validate that the application resources received match the resources advertised by the application developer in a web bundle or an SBOM and possibly analyzed by security researchers.
• In parallel, JavaScript execution could be split in Compartments to isolate third party code and keep their power under control. Making this foolproof with the design of the DOM API remains a challenge.
• Additionally, same origin realms can be manipulated by an attacker against the web application itself when they are not properly handled. Web applications should have the ability to control, at load time, how the potentially untrusted code they contain can create or access same origin realms.
• Cookies are another source of security vulnerabilities. The deprecation of third party cookies creates a unique opportunity to revise the defaults of the cookies model for the web for increased security.
• Regardless of technical solutions, a documentation effort is warranted: tutorials, how-tos, references, guides and best practices, targeted at developers as well as policy makers.

On top of progressing technical topics mentioned above, one of the suggested next steps is to initiate an activity, possibly hosted within a W3C Community Group, set to take a holistic approach to security and coordinate collaborations with other organizations (OpenSSF, OWASP, OpenJS, Open Web Docs, MDN, IETF, etc.). This activity could start by documenting threat models on the web and formulating end-user stories related to security to inform standardization groups, developers, and policy makers. Progress on this proposal is tracked in a GitHub issue.

W3C thanks those who helped with the organization and execution of the workshop, including members of the Program Committee, speakers, the MDN team, the WebDX Community Group and workshop participants.