Re: [webappsec] CfC: Draft charter for review, ends 21-Dec-2016

On Mon, Dec 19, 2016 at 9:23 PM, Wendy Seltzer <wseltzer@w3.org> wrote:

> Thanks Brad and Terri,
>
> I sent a PR with a few editorial and group name changes (and CSP2 is now
> a Rec, yay!).
> https://github.com/w3c/webappsec/pull/522
>
> On 12/19/2016 04:55 PM, Oda, Terri wrote:
> > I probably won't be able to attend the meeting on Dec 21st due to travel,
> > but I just want to say that I have read the new charter and it sounds
> > reasonable and like what I was expecting it to be.
> >
> > My AC rep commented that there was talk about doing more on the security
> > review for other specs, and I see that this is in there under the "Web
> > Security Model" section.
>
> He may have been referring to the Web Security IG (charter currently
> under AC review), which we are aiming to refocus for more effective
> reviews of other groups' specs.


Yes, I was.  :-)


>
> >
> > My only suggestion is that we've talked a lot in meetings about the
> > usability of policies and the understanding of users, but there's nothing
> > explicitly in the charter suggesting that usability of policy is a goal
> for
> > webappsec.  With the poor use of CSP in the wild, should we maybe
> consider
> > putting that in the charter in order to help attract the type of talent
> we
> > need to make the next version gain more effective adoption?
>
> Interesting idea. Would you think of adding language to the spec, or
> sharing non-normative best practices outside the spec?
>

My suggestion would be to initially create a non-normative best practices
outside of the spec.  Longer term we should look at incorporating things
like this into the spec but I think we should leave this outside the spec
while we explore the best way to do this.

Ryan


>
> >
> >  Terri
> >
> >
> >
> > On Wed, Dec 14, 2016 at 11:07 AM, Brad Hill <hillbrad@gmail.com> wrote:
> >
> >> This is a Call for Consensus to send a re-charter proposal for the
> >> WebAppSec WG to the AC.  This Call for Consensus will end at the next
> >> regularly scheduled meeting of the WG on December 21st.
> >>
> >> Please send comments to public-webappsec@w3.org
> >>
> >> Thanks to Wendy for getting this started.  I believe I've added all
> specs
> >> in progress, but please review and run this by your legal teams:
> >>
> >> https://rawgit.com/w3c/webappsec/master/admin/
> webappsec-charter-2017.html
> >>
> >> Pull requests welcome at but please cc: the list.
> >>
> >> https://github.com/w3c/webappsec/blob/master/admin/
> >> webappsec-charter-2017.html
> >>
> >> Additions in overall scope from previous charter:
> >>
> >> Vulnerability Mitigation
> >> * Vulnerabilities are inevitable in sufficiently complex applications.
> Th
> >> WG will work on mechanisms to reduce the scope, exploitability and
> impact
> >> of common vulnerabilites and vulnerability classes in web applications,
> >> especially script injection / XSS.
> >>
> >> Attack Surface Reduction
> >> * Replace or augment injection-prone APIs in the browser with safer
> >> alternatives using strategies such as sanitization, strict contextual
> >> autoescaping, and other validation and encoding strategies currently
> >> employed by server-side code.
> >>
> >> The Web Security Model
> >> * The WG may be called on to advise other WGs or the TAG on the
> >> fundamental security model of the Web Platform and may produce
> >> Recommendations towards the advancement of, or addressing legacy issues
> >> with, the model, such as mitigating cross-origin data leaks or side
> channel
> >> attacks.
> >>
> >> Thank you,
> >>
> >> Brad Hill
> >>
> >
>
>
> --
> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
> Strategy Lead, World Wide Web Consortium (W3C)
> https://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>
>
>
>