Re: [webappsec] CfC: Draft charter for review, ends 21-Dec-2016

I probably won't be able to attend the meeting on Dec 21st due to travel,
but I just want to say that I have read the new charter and it sounds
reasonable and like what I was expecting it to be.

My AC rep commented that there was talk about doing more on the security
review for other specs, and I see that this is in there under the "Web
Security Model" section.

My only suggestion is that we've talked a lot in meetings about the
usability of policies and the understanding of users, but there's nothing
explicitly in the charter suggesting that usability of policy is a goal for
webappsec.  With the poor use of CSP in the wild, should we maybe consider
putting that in the charter in order to help attract the type of talent we
need to make the next version gain more effective adoption?

 Terri



On Wed, Dec 14, 2016 at 11:07 AM, Brad Hill <hillbrad@gmail.com> wrote:

> This is a Call for Consensus to send a re-charter proposal for the
> WebAppSec WG to the AC.  This Call for Consensus will end at the next
> regularly scheduled meeting of the WG on December 21st.
>
> Please send comments to public-webappsec@w3.org
>
> Thanks to Wendy for getting this started.  I believe I've added all specs
> in progress, but please review and run this by your legal teams:
>
> https://rawgit.com/w3c/webappsec/master/admin/webappsec-charter-2017.html
>
> Pull requests welcome at but please cc: the list.
>
> https://github.com/w3c/webappsec/blob/master/admin/
> webappsec-charter-2017.html
>
> Additions in overall scope from previous charter:
>
> Vulnerability Mitigation
> * Vulnerabilities are inevitable in sufficiently complex applications. Th
> WG will work on mechanisms to reduce the scope, exploitability and impact
> of common vulnerabilites and vulnerability classes in web applications,
> especially script injection / XSS.
>
> Attack Surface Reduction
> * Replace or augment injection-prone APIs in the browser with safer
> alternatives using strategies such as sanitization, strict contextual
> autoescaping, and other validation and encoding strategies currently
> employed by server-side code.
>
> The Web Security Model
> * The WG may be called on to advise other WGs or the TAG on the
> fundamental security model of the Web Platform and may produce
> Recommendations towards the advancement of, or addressing legacy issues
> with, the model, such as mitigating cross-origin data leaks or side channel
> attacks.
>
> Thank you,
>
> Brad Hill
>

Received on Monday, 19 December 2016 21:56:23 UTC