W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2016

Re: [webappsec] CfC: Draft charter for review, ends 21-Dec-2016

From: Wendy Seltzer <wseltzer@w3.org>
Date: Tue, 20 Dec 2016 00:23:05 -0500
To: "Oda, Terri" <terri.oda@intel.com>, Brad Hill <hillbrad@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <e737a4fa-3827-f2cc-18aa-8cd569188c33@w3.org>
Thanks Brad and Terri,

I sent a PR with a few editorial and group name changes (and CSP2 is now
a Rec, yay!).
https://github.com/w3c/webappsec/pull/522

On 12/19/2016 04:55 PM, Oda, Terri wrote:
> I probably won't be able to attend the meeting on Dec 21st due to travel,
> but I just want to say that I have read the new charter and it sounds
> reasonable and like what I was expecting it to be.
> 
> My AC rep commented that there was talk about doing more on the security
> review for other specs, and I see that this is in there under the "Web
> Security Model" section.

He may have been referring to the Web Security IG (charter currently
under AC review), which we are aiming to refocus for more effective
reviews of other groups' specs.

> 
> My only suggestion is that we've talked a lot in meetings about the
> usability of policies and the understanding of users, but there's nothing
> explicitly in the charter suggesting that usability of policy is a goal for
> webappsec.  With the poor use of CSP in the wild, should we maybe consider
> putting that in the charter in order to help attract the type of talent we
> need to make the next version gain more effective adoption?

Interesting idea. Would you think of adding language to the spec, or
sharing non-normative best practices outside the spec?

--Wendy

> 
>  Terri
> 
> 
> 
> On Wed, Dec 14, 2016 at 11:07 AM, Brad Hill <hillbrad@gmail.com> wrote:
> 
>> This is a Call for Consensus to send a re-charter proposal for the
>> WebAppSec WG to the AC.  This Call for Consensus will end at the next
>> regularly scheduled meeting of the WG on December 21st.
>>
>> Please send comments to public-webappsec@w3.org
>>
>> Thanks to Wendy for getting this started.  I believe I've added all specs
>> in progress, but please review and run this by your legal teams:
>>
>> https://rawgit.com/w3c/webappsec/master/admin/webappsec-charter-2017.html
>>
>> Pull requests welcome at but please cc: the list.
>>
>> https://github.com/w3c/webappsec/blob/master/admin/
>> webappsec-charter-2017.html
>>
>> Additions in overall scope from previous charter:
>>
>> Vulnerability Mitigation
>> * Vulnerabilities are inevitable in sufficiently complex applications. Th
>> WG will work on mechanisms to reduce the scope, exploitability and impact
>> of common vulnerabilites and vulnerability classes in web applications,
>> especially script injection / XSS.
>>
>> Attack Surface Reduction
>> * Replace or augment injection-prone APIs in the browser with safer
>> alternatives using strategies such as sanitization, strict contextual
>> autoescaping, and other validation and encoding strategies currently
>> employed by server-side code.
>>
>> The Web Security Model
>> * The WG may be called on to advise other WGs or the TAG on the
>> fundamental security model of the Web Platform and may produce
>> Recommendations towards the advancement of, or addressing legacy issues
>> with, the model, such as mitigating cross-origin data leaks or side channel
>> attacks.
>>
>> Thank you,
>>
>> Brad Hill
>>
> 


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Strategy Lead, World Wide Web Consortium (W3C)
https://wendy.seltzer.org/        +1.617.863.0613 (mobile)
Received on Tuesday, 20 December 2016 05:23:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:22 UTC