W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2016

Rechartering WebAppSec -- call for input

From: Wendy Seltzer <wseltzer@w3.org>
Date: Wed, 19 Oct 2016 17:53:01 -0400
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <266f8fb6-ac11-a3a6-099b-c5b8bd1646c2@w3.org>
Hi WebAppSec,

The group's current charter expires at the end of 2016, so we in the W3C
team want to help you to scope a new one to continue work.

We should look at the current scope and deliverables in
https://www.w3.org/2015/03/webappsec-charter-2015.html
If the existing scope continues to capture the work we want to do, we
don't need to change it, but we at least need to update the list of
deliverables and milestones.

Thanks!
--Wendy

2015-16 Scope:
Modern Web Applications are composed of many parts and technologies.
They may transclude, reference or have information flows between
resources at the same, related or different origins. Due to the
historically coarse-grained nature of the security boundaries and
principals defined for such applications, they can be very difficult to
secure.

In particular, application authors desire uniform policy mechanisms to
allow application components to drop privileges and reduce the chance
they will be exploited, or that exploits will compromise other content,
to isolate themselves from vulnerabilities in content that might
otherwise be within the same security boundaries, and to communicate
securely across security boundaries. These issues are especially
relevant for the many web applications which incorporate other web
application resources (mashups). That is, they comprise multiple origins
(i.e., security principals).

Areas of scope for this working group include:

Attack Surface Reduction
The WG will design mechanisms to allow applications to:

Restrict or forbid potentially dangerous features which they do not
intend to use
Govern information and content flows into and out of an application
Isolate themselves from other content which may contain unrelated
vulnerabilities
Sandbox potentially untrusted content and allow it to be interacted with
more safely
Uniquely identify application content such that unauthorized
modifications may be detected and prevented
Secure Mashups
Several mechanisms for secure resource sharing and messaging across
origins exist or are being specified, but several common and desirable
use cases are not covered by existing work, such as:

Allowing child IFRAMEs to protect themselves from "clickjacking"
Providing labeled information flows and confinement properties to enable
secure mashups. This is especially relevent for, e.g. applications
communicating between security principals with different user-granted
permissions (e.g. geolocation)
Manageability
Given the ad-hoc nature in which many important security features of the
Web have evolved, providing uniformly secure experiences to users is
difficult for developers. The WG will document and create uniform
experiences for several undefined areas of major utility, including:

Treatment of Mixed HTTPS/HTTP Content and defining Secure/Authenticated
Origins for purposes of user experience, content inclusion/transclusion
and other information flows, and for features which require a verifiably
secure environment
Providing hinting and direct support for credential managers, whether
integrated into the user-agent or 3rd-party, to assist users in managing
the complexities of secure passwords
Application awareness of features which may require explicit user
permission to enable.
In addition to developing Recommendation Track documents in support of
these goals, the Web Application Security Working Group may provide
review of specifications from other Working Groups, in particular as
these specifications touch on chartered deliverables of this group (in
particular CSP), or the Web security model, and may also develop
non-normative documents in support of Web security, such as developer
and user guides for its normative specifications.


-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Strategy Lead, World Wide Web Consortium (W3C)
https://wendy.seltzer.org/        +1.617.863.0613 (mobile)
Received on Wednesday, 19 October 2016 21:53:05 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC