Fwd: W3C Workshop Report: Secure the Web Forward

Dear Web Payments WG,

For those interested in security, W3C published today a report from the September 2023 Workshop "Secure the Web Forward”:
   https://www.w3.org/2023/03/secure-the-web-forward/report.html

Ian

> Begin forwarded message:
> 
> From: xueyuan <xueyuan@w3.org>
> Subject: W3C Workshop Report: Secure the Web Forward
> Date: February 1, 2024 at 12:59:05 AM CST
> To: chairs@w3.org
> Resent-From: chairs@w3.org
> 
> Dear Chairs,
> 
> The report from the W3C Secure the Web Forward Workshop [1], held online in September 2023 in coordination with OpenSSF, OWASP and OpenJS, is now available:
>   https://www.w3.org/2023/03/secure-the-web-forward/report.html
> 
> This report contains a brief summary, collects highlights from the live sessions, links to the presentation videos, and details next steps.
> 
> The workshop was organized to review the state of technologies (existing, in development, or proposed), guidelines, tools, and documentation available to developers to secure applications deployed on the web, and coordinate relevant activities. About 30 people attended the live sessions to discuss the 9 selected position papers along 3 different themes: supply chain security (including Software Bills of Materials, also known as SBOMs), JavaScript security, and developer awareness. Participants acknowledged the growing complexity of web applications and of security related web technologies (e.g., CORS, Content Security Policy), which together makes it challenging for developers to secure applications.
> 
> The main outcomes are that:
> - The use of SBOMs, which some regulations may require, could help developers keep track of security vulnerabilities.
> - A verification mechanism, such as the Source Code Transparency proposal, would allow browsers to validate that the application resources received match the resources advertised by the application developer in a web bundle or an SBOM and possibly analyzed by security researchers.
> - In parallel, JavaScript execution could be split in Compartments to isolate third party code and keep their power under control. Making this foolproof with the design of the DOM API remains a challenge.
> - Additionally, same origin realms can be manipulated by an attacker against the web application itself when they are not properly handled. Web applications should have the ability to control, at load time, how the potentially untrusted code they contain can create or access same origin realms.
> - Cookies are another source of security vulnerabilities. The deprecation of third party cookies creates a unique opportunity to revise the defaults of the cookies model for the web for increased security.
> - Regardless of technical solutions, a documentation effort is warranted: tutorials, how-tos, references, guides and best practices, targeted at developers as well as policy makers.
> 
> On top of progressing technical topics mentioned above, one of the suggested next steps is to initiate an activity, possibly hosted within a W3C Community Group, set to take a holistic approach to security and coordinate collaborations with other organizations (OpenSSF, OWASP, OpenJS, Open Web Docs, MDN, IETF, etc.). This activity could start by documenting threat models on the web and formulating end-user stories related to security to inform standardization groups, developers, and policy makers. Progress on this proposal is tracked in a GitHub issue [2].
> 
> Interested parties can contact Francois Daoust <fd@w3.org>.
> 
> W3C thanks those who helped with the organization and execution of the workshop, including members of the Program Committee, speakers, the MDN team, the WebDX Community Group and workshop participants.
> 
> For Philippe le Hégaret, Strategy Lead;
> Xueyuan Jia, W3C Marketing & Communications
> 
> [1] https://www.w3.org/2023/03/secure-the-web-forward/
> [2] https://github.com/w3c/secure-the-web-forward-workshop/issues/42
> 
> 

--
Ian Jacobs <ij@w3.org>
https://www.w3.org/People/Jacobs/
Tel: +1 917 450 8783