W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2016

Re: Rechartering WebAppSec -- call for input

From: Artur Janc <aaj@google.com>
Date: Thu, 27 Oct 2016 14:08:28 +0200
Message-ID: <CAPYVjqrYvLP8onDVdgdLCsrGr7iA2VD1b6qCdcig50L24zg5rw@mail.gmail.com>
To: Wendy Seltzer <wseltzer@w3.org>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi all,

I haven't contributed too much to the group so my opinion doesn't carry
much weight, but I would like to suggest a couple of areas which I think
will be important for developers, but aren't explicitly captured in the
current charter.

1. A mention of script injection / XSS and ways to prevent exploitation or
reduce its impact. In a way it's implicit from the discussion of isolation
and restricting dangerous features, but it's a large enough concern for
many applications that it might be worth calling out more directly.

2. Providing features to replace current injection-prone DOM APIs or
provide other security functionality in the browser. This touches on the
previously discussed concept of SafeNode and in-browser HTML sanitization
as well as ideas to provide the equivalent of strict contextually
autoescaping templates (http://queue.acm.org/detail.cfm?id=2663760), and
other features to mirror the capabilities of server-side mechanisms.

3. Tackling some of the long-standing problems of the web platform such as
cache sniffing and various other cross-origin data leaks and side channels
(e.g. detection of HTTP response sizes or other sensitive information from
authenticated responses). I don't think we're anywhere near solving these
problems, nor am I convinced that we can do so, but a man can dream ;-)

Just my two cents...

Cheers,
-Artur

On Wed, Oct 19, 2016 at 11:53 PM, Wendy Seltzer <wseltzer@w3.org> wrote:

> Hi WebAppSec,
>
> The group's current charter expires at the end of 2016, so we in the W3C
> team want to help you to scope a new one to continue work.
>
> We should look at the current scope and deliverables in
> https://www.w3.org/2015/03/webappsec-charter-2015.html
> If the existing scope continues to capture the work we want to do, we
> don't need to change it, but we at least need to update the list of
> deliverables and milestones.
>
> Thanks!
> --Wendy
>
> 2015-16 Scope:
> Modern Web Applications are composed of many parts and technologies.
> They may transclude, reference or have information flows between
> resources at the same, related or different origins. Due to the
> historically coarse-grained nature of the security boundaries and
> principals defined for such applications, they can be very difficult to
> secure.
>
> In particular, application authors desire uniform policy mechanisms to
> allow application components to drop privileges and reduce the chance
> they will be exploited, or that exploits will compromise other content,
> to isolate themselves from vulnerabilities in content that might
> otherwise be within the same security boundaries, and to communicate
> securely across security boundaries. These issues are especially
> relevant for the many web applications which incorporate other web
> application resources (mashups). That is, they comprise multiple origins
> (i.e., security principals).
>
> Areas of scope for this working group include:
>
> Attack Surface Reduction
> The WG will design mechanisms to allow applications to:
>
> Restrict or forbid potentially dangerous features which they do not
> intend to use
> Govern information and content flows into and out of an application
> Isolate themselves from other content which may contain unrelated
> vulnerabilities
> Sandbox potentially untrusted content and allow it to be interacted with
> more safely
> Uniquely identify application content such that unauthorized
> modifications may be detected and prevented
> Secure Mashups
> Several mechanisms for secure resource sharing and messaging across
> origins exist or are being specified, but several common and desirable
> use cases are not covered by existing work, such as:
>
> Allowing child IFRAMEs to protect themselves from "clickjacking"
> Providing labeled information flows and confinement properties to enable
> secure mashups. This is especially relevent for, e.g. applications
> communicating between security principals with different user-granted
> permissions (e.g. geolocation)
> Manageability
> Given the ad-hoc nature in which many important security features of the
> Web have evolved, providing uniformly secure experiences to users is
> difficult for developers. The WG will document and create uniform
> experiences for several undefined areas of major utility, including:
>
> Treatment of Mixed HTTPS/HTTP Content and defining Secure/Authenticated
> Origins for purposes of user experience, content inclusion/transclusion
> and other information flows, and for features which require a verifiably
> secure environment
> Providing hinting and direct support for credential managers, whether
> integrated into the user-agent or 3rd-party, to assist users in managing
> the complexities of secure passwords
> Application awareness of features which may require explicit user
> permission to enable.
> In addition to developing Recommendation Track documents in support of
> these goals, the Web Application Security Working Group may provide
> review of specifications from other Working Groups, in particular as
> these specifications touch on chartered deliverables of this group (in
> particular CSP), or the Web security model, and may also develop
> non-normative documents in support of Web security, such as developer
> and user guides for its normative specifications.
>
>
> --
> Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
> Strategy Lead, World Wide Web Consortium (W3C)
> https://wendy.seltzer.org/        +1.617.863.0613 (mobile)
>
>
>
>
Received on Thursday, 27 October 2016 12:09:23 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:21 UTC