- From: Hill, Brad <bhill@paypal-inc.com>
- Date: Tue, 7 May 2013 20:02:37 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <370C9BEB4DD6154FA963E2F79ADC6F2E27A11BD3@DEN-EXDDA-S12.corp.ebay.com>
Based on discussions at the F2F, I've attached an updated charter proposal. It include new deliverable dates, and proposes some additional scope that I'd like to review again on the call. Namely, it expands on "Sub-Resource Integrity" deliverable as "Secure Mixed Content" with a broader remit: ===Secure Mixed Content=== Create and advance recommendation(s) for dealing with resources in a secure web application loaded over insecure channels. Use cases include: * Adding integrity protections to sub-resource loads from HTML documents. This mechanism would have the goals of allowing resource authors to either or both specify the exact of cross-origin sub-resources and to allow optimistic loading of such resources in a cache-friendly manner over insecure transports. This work would be coordinated with and possibly be a joint deliverable with the HTML WG. * Standard behaviors for user agents to follow when encountering insecure resource loads in a secure context. This might include definitions of "active" and "passive" content that must be blocked or can be loaded with a warning, and possibly ways for secure applications to consume insecure but non-sensitive resources (such as a weather feed) And adds a new deliverable: ===Lightweight Isolated / Safe Content=== Create and advance recommendation(s) for lightweight isolation and safety mechanisms for composed web applications. An iframe and postMessage can provide a strong isolation barrier, but can requires too many resources on the client and present an unfriendly API to developers for some scenarios. The deliverable(s) will describe mechanisms to compose applications from imported components while isolating the application from malicious impacts of those components. Possible mechanisms include sandboxing and/or safe sub-setting of ECMAScript or HTML.
Attachments
- text/html attachment: Web Application Security Working Group v2_1.htm
Received on Tuesday, 7 May 2013 20:03:15 UTC