From 321356f94ed7b7366ce641d75d16fece1541071e Mon Sep 17 00:00:00 2001
From: Wendy Seltzer <wseltzer@w3.org>
Date: Tue, 29 Nov 2016 18:25:55 -0500
Subject: [PATCH] add an initial draft of Charter 2017

---
 admin/webappsec-charter-2017.html | 464 ++++++++++++++++++++++++++++++
 1 file changed, 464 insertions(+)
 create mode 100644 admin/webappsec-charter-2017.html
diff --git a/admin/webappsec-charter-2017.html b/admin/webappsec-charter-2017.html
new file mode 100644
index 00000000..60f21ab6
--- /dev/null
+++ b/admin/webappsec-charter-2017.html
@@ -0,0 +1,464 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta http-equiv="content-type" content="text/html; charset=utf-8">
+    <base href="https://www.w3.org/">
+    <title>DRAFT 2017 Web Application Security Working Group</title>
+    <link rel="stylesheet" href="/2005/10/w3cdoc.css" type="text/css" media="screen">
+    <link rel="stylesheet" type="text/css" href="/Guide/pubrules-style.css">
+    <link rel="stylesheet" type="text/css" href="/2006/02/charter-style.css">
+  </head>
+  <body>
+    <div id="template"><ul id="navbar" style="font-size: small"><li><a href="#scope">Scope</a></li><li><a href="#deliverables">Deliverables</a></li><li><a href="#coordination">Dependencies and Liaisons</a></li><li><a href="#participation">Participation</a></li><li><a href="#communication">Communication</a></li><li><a href="#decisions">Decision Policy</a></li><li><a href="#patentpolicy">Patent 
+      Policy</a></li><li><a href="#about">About this Charter</a></li></ul>
+    
+
+    <p><a href="http://www.w3.org/" shape="rect"><img alt="W3C" height="48" src="/Icons/w3c_home" width="72"/></a></p>
+
+    <h1 id="title">DRAFT 2017 Web Application Security Working Group Charter</h1>
+
+    <p><strong>This is DRAFT PROPOSED CHARTER.  Please send comments to <a href="mailto:public-webappsec@w3.org">public-webappsec@w3.org</a></strong></p>
+
+    <p class="mission">The <strong>mission</strong> of the 
+        <a href="http://www.w3.org/2011/webappsec/">Web Application Security Working Group</a> is to develop security and policy mechanisms to improve the security of Web Applications, and enable
+        secure cross-origin communication.</p>
+
+    <div class="noprint">
+    <p class="join"><a href="http://www.w3.org/2004/01/pp-impl/49309/join">Join the
+    Web Application Security Working Group</a>.</p>
+    </div>
+
+    <table class="summary-table">
+      <tr id="Duration"><th rowspan="1" colspan="1">End date</th>
+        <td rowspan="1" colspan="1">31 December 2018</td>
+      </tr>
+      <tr><th rowspan="1" colspan="1">Confidentiality</th>
+        <td rowspan="1" colspan="1">Proceedings are <a href="/2005/10/Process-20051014/comm.html#confidentiality-levels" shape="rect">
+        public
+        </a></td>
+      </tr>
+      <tr><th rowspan="1" colspan="1">Chairs</th>
+        <td rowspan="1" colspan="1">Brad Hill, Dan Veditz</td>
+      </tr>
+      <tr><th rowspan="1" colspan="1">Team Contacts<br/>
+        (FTE %: 10)</th>
+        <td rowspan="1" colspan="1">Wendy Seltzer</td>
+      </tr>
+      <tr><th rowspan="1" colspan="1">Usual Meeting Schedule</th>
+        <td rowspan="1" colspan="1">Teleconferences: Bi-Weekly
+           <br/>
+        Face-to-face: 1-2 annually
+           </td>
+         </tr>
+       </table>
+
+    <div class="scope">
+      <h2 id="scope">Scope</h2>
+
+      <p>Modern Web Applications are composed of many parts and
+        technologies.  They may transclude, reference or have
+        information flows between resources at the same, related or
+        different origins.  Due to the historically coarse-grained
+        nature of the security boundaries and principals defined for
+        such applications, they can be very difficult to secure.</p>
+
+      <p>In particular, application authors desire uniform policy
+          mechanisms to allow application components to drop
+          privileges and reduce the chance they will be exploited, or
+          that exploits will compromise other content, to isolate
+          themselves from vulnerabilities in content that might
+          otherwise be within the same security boundaries, and to
+          communicate securely across security boundaries.
+          
+          These issues are especially relevant for the many web
+      applications which incorporate other web application resources
+      (mashups). That is, they comprise multiple origins (i.e.,
+      security principals).</p>
+
+      <p>Areas of scope for this working group include:</p>
+
+      <dl>
+
+        <dt><b>Attack Surface Reduction</b></dt>
+        <dd>
+            <p>The WG will design mechanisms to allow applications to:
+            <ul>
+                <li>Restrict or forbid potentially dangerous features which 
+                they do not intend to use</li>
+                <li>Govern information and
+                    content flows into and out of an application</li>
+                <li>Isolate themselves from other content which may contain
+                unrelated vulnerabilities</li>
+                <li>Sandbox potentially untrusted content and allow it to be
+                interacted with more safely</li>
+                <li>Uniquely identify application content such that unauthorized
+                modifications may be detected and prevented</li>
+            </ul>
+            </p>
+        </dd>
+
+        <dt><b>Secure Mashups</b></dt>
+        <dd>
+            <p>Several mechanisms for secure resource
+        sharing and messaging across origins exist or are being specified, but
+        several common and desirable use cases are not covered by existing
+        work, such as: 
+                <ul>
+                    <li>Allowing child IFRAMEs to protect themselves from
+                    "clickjacking"</li>
+                    <li>Providing labeled information flows and confinement
+                    propeties to enable secure mashups. This is especially
+                    relevent for, e.g. applcations communicating between
+                    security principals with
+                    different user-granted permissions (e.g. geolocation)</li>
+                </ul>
+            </p>
+        </dd>
+
+        <dt><b>Manageability</b></dt>
+        <dd>
+            <p>Given the ad-hoc nature in which many important security features
+                of the Web have evolved, providing uniformly secure experiences
+                to users is difficult for developers.  The WG will document
+                and create uniform experiences for several undefined areas of 
+                major utility, including:
+                <ul>
+                    <li>Treatment of Mixed HTTPS/HTTP Content and defining
+                    Secure/Authenticated Origins for purposes of user
+                    experience, content inclusion/transclusion and other information flows,
+                    and for features which require a verifiably secure
+                    environment</li>
+                    <li>Providing hinting and direct support for credential
+                    managers, whether integrated into the user-agent or 3rd-party,
+                    to assist users in managing the complexities of secure
+                    passwords</li>
+                    <li>Application awareness of features which may
+										require explicit user permission to enable.</li>
+                </ul>
+            </p>
+        </dd>
+
+      </dl>
+
+      <p>In addition to developing Recommendation Track documents in support
+        of these goals, the Web Application Security Working Group may provide review of
+      specifications from other Working Groups, in particular as these
+      specifications touch on chartered deliverables of this group (in
+      particular CSP), or the Web security model, and may also develop
+          non-normative documents in support of Web security, such as
+          developer and user guides for its normative specifications.</p>      
+      
+      <h3>Success Criteria</h3>
+    
+      <p>To advance to Proposed Recommendation, each specification is expected
+      to have two independent implementations of each feature described in the
+      specification.</p>      
+
+    </div>
+
+    <div>
+      <h2 id="deliverables">Deliverables</h2>
+      
+      <p>All of the following deliverables are on or proposed for the Recommendation Track:</p>
+
+<dl>
+            <dt id="csp3" class="spec"><a href="https://www.w3.org/TR/CSP3/">Content Security Policy Level 3</a></dt>
+            <dd>
+          <p>A policy language intended to enable web designers or server
+          administrators to declare a security policy for a web resource.
+          The goal of this specification is to reduce attack surface by
+          specifying overall rules for what content may or may not do, thus
+          preventing violation of security assumptions by attackers who are
+          able to partially manipulate that content.  Content Security Policy
+          (CSP) Level 3 succeeds CSP2, which [is now in PR].</p>
+              <p class="draft-status"><b>Draft state:</b> <a href="https://www.w3.org/TR/2016/WD-CSP3-20160913/">Working Draft</a></i></p>
+              <p class="milestone"><b>Expected completion:</b> <i class="todo">[Q1–4 yyyy]</i></p>
+            </dd>
+          </dl>
+
+<dl>
+        <dt id="uisecurity" class="spec"><a href="http://www.w3.org/TR/UISecurity/">User Interface Security and the Visibility API</a> </dt>
+        <dd>
+          <p>Create and advance existing recommendations specifying bi-
+          directional parent/child policies to enable secure mash-up
+          applications built around cross-domain framing. To express necessary
+          constraints and demands, this deliverable will re-use and extend the
+          policy language of the Content Security Policy deliverable with the
+          goal of creating uniform semantics for requirements currently
+          disjoint in expression and implementation across the CSP, the HTML5
+          IFRAME sandbox, and the X-Frame-Options HTTP header. This work will
+          be closely coordinated with the IETF websec WG in order to avoid 
+          overlapping or conflicting specifications.</p>
+                     <p class="draft-status"><b>Draft state:</b> <a href="https://www.w3.org/TR/2016/WD-UISecurity-20160607/">Working Draft</a></i></p>
+              <p class="milestone"><b>Expected completion:</b> <i class="todo">[Q1-4 yyyy]</i></p>
+</dd> </dl>
+<dl>    
+        <dt>
+          <a href="http://www.w3.org/TR/mixed-content/">Mixed Content</a> (CR)</a> </dt>
+
+        <dd> <p>A recommendation for dealing with
+          resources loaded over insecure channels in a secure web application.
+          Use cases includes standard behaviors for user agents to follow when encountering
+            insecure resource loads in a secure context.  This might include
+            definitions of “active” and “passive” content that must be blocked
+            or can be loaded with a warning, and possibly ways for secure
+            applications to consume insecure but non-sensitive resources (such
+            as a weather feed).
+        
+
+          <p class="draft-status"><b>Draft state:</b> <a href="https://www.w3.org/TR/2016/CR-mixed-content-20160802/">Candidate Recommendation</a></p>
+              <p class="milestone"><b>Expected completion:</b> <i class="todo">[Q1-4 yyyy]</i></p>
+</dd> </dl>
+<dl>
+        <dt><a href="https://www.w3.org/TR/upgrade-insecure-requests/">Upgrade Insecure Requests</a></dt>
+        <dd> 
+	  <p>Create a mechaimsm to assist in sites migrating from HTTP
+	to HTTPS by allowing them to assert to a user agent that they
+	intend a site to load only secure resources, and that insecure
+	URLs ought to be treated as though they had been replaced with
+	secure URLs.  
+					</p>
+          <p class="draft-status"><b>Draft state:</b> <a href="https://www.w3.org/TR/2015/CR-upgrade-insecure-requests-20151008/">Candidate Recommendation</a></p>
+              <p class="milestone"><b>Expected completion:</b> <i class="todo">[Q1-4 yyyy]</i></p>
+
+        </dd>
+
+
+				<dt>
+        <a href="https://www.w3.org/TR/secure-contexts/">Secure
+          Contexts</a></a></dt>
+
+        <dd> <p>A recommendation defining "secure contexts", thereby
+        allowing user agent implementers and specification authors to
+        enable certain features only when certain minimum standards of
+        authentication and confidentiality are met.
+	    </p>
+          <p class="draft-status"><b>Draft state:</b> <a href="https://www.w3.org/TR/2016/CR-secure-contexts-20160915/">Candidate Recommendation</a></p>
+              <p class="milestone"><b>Expected completion:</b> <i class="todo">[Q1-4 yyyy]</i></p>
+</dd> </dl>
+<dl>
+        <dt>
+         <a href="http://www.w3.org/TR/referrer-policy/">Referrer Policy</a>
+        </dt>
+
+        <dd> <p>A recommendation for a header and meta tag allowing
+            resource authors to specify a policy for the values sent
+            as part of the HTTP Referer (sic) header.  Use cases
+            include making this policy more restrictive to protect
+            applications which include security capability tokens in
+            the URL, or allowing more permissive sharing of referrer
+            information from secure to insecure origins to remove
+            barriers which today prevent applications from moving to
+            secure origins.</p>
+       <p class="draft-status"><b>Draft state:</b> <a href="https://www.w3.org/TR/2016/WD-referrer-policy-20161016/">Working Draft</a></p>
+              <p class="milestone"><b>Expected completion:</b> <i class="todo">[Q1-4 yyyy]</i></p>
+</dd> </dl>
+<dl>
+
+        <dt>Credential Management API</dt>
+
+        <dd> 
+          <p>Create and advance recommendation(s) for a standardized
+              API to address use cases related to assisted management
+              of user credentials, including traditional
+              username/password pairs, username/federated identity
+              provider pairs.  The API should allow for explicit and
+              interoperable imperative mechanism for use and lifecycle
+              management of these common credential types.</p>
+        </dd>
+
+        <dt><b>Suborigin Namespaces</b></dt>
+
+        <dd> 
+          <p>Create and advance a recommendation to allow applications
+              to place themselves into namespaces within a traditional
+              scheme/host/port RFC 6454 Origin label to enable easier
+              development of modular applications with privilege
+              separation.</p>
+        </dd>
+        
+        <dt><b>Confinement with Origin Web Labels</b></dt>
+
+        <dd> 
+	<p>Create and advance a recommendation for a robust JavaScript
+	confinement system for modern web browsers, in a way that is
+	backward-compatible with legacy web content.  The goal of the
+	specification is to define APIs for specifying privacy and
+	integrity policies on data, in the form of origin labels, and
+	a mechanism for confining browsing contexts (pages, iframes,
+	etc.)  according to these labels. This would allow Web
+	application authors and server operators to share data with
+	untrusted code (e.g., in a mashup scenario, cross-origin
+	iframes) yet impose restrictions on how the code can further
+	share the sensitive data.</p>
+
+	<p>An additional goal is to define a light-weight, in-thread
+	Web Worker.  This would allow developers to build
+	privilege-separated, compartmentalized applications, in
+	addition to sandboxing potentially untrusted scripts.</p>
+        </dd>
+
+  
+        <dt><b>Permissions API</b></dt>
+
+        <dd> 
+          <p>Create and advance a recommendation to allow web
+	applications to be aware of the status of a given permission,
+	to know whether it is granted, denied, or if the user will be
+	asked whether the permission should be granted.  This
+	recommendation will not address user agent implementations of
+	permissions, including their scope, duration, granularity, or
+	user interface and experience for indicating, configuring, or
+	asking for permissions.</p>
+        </dd>
+      </dl>
+    <p>@@@</p>
+
+    <h3>Milestones</h3>
+        
+    
+    
+    <div class="dependencies">
+      <h2 id="coordination">Dependencies and Liaisons</h2>
+      
+
+      
+  
+      <h3>W3C Groups</h3>
+
+      <dl>
+          <dt><a href="http://www.w3.org/html/wg/">HTML Working Group</a></dt>
+          <dd>The <a href="http://www.w3.org/TR/html5/">HTML</a>
+            specification defines many of the security policies that
+            apply in the current browser environment, and Subresource Integrity
+              defines new attributes that may be applied to HTML tags.</dd>
+           <dt><a href="http://www.w3.org/Privacy/">Privacy Interest Group</a></dt>
+          <dd>The WG may ask the Privacy Interest Group to review some of its specifications for privacy considerations.</dd>
+          <dt><a href="http://www.w3.org/Security/wiki/IG">Web Security Interest Group</a></dt>
+          <dd>The WG may ask the Web Security Interest Group review some of its specifications for security considerations.</dd>
+          <dt><a href="http://www.w3.org/2001/tag/">Technical Architecture Group
+              (TAG)</a></dt>
+          <dd>The WG may ask the Technical Architecture Group to
+            review some of its specifications.</dd>
+            <dt><a href="http://www.w3.org/WAI/PF/">Protocols and Formats Working Group</a></dt>
+           <dd>The WG may ask the PFWG to review some of its specifications for potential accessibility issues. </dd>
+	<dt>Web Platform WG</dt>
+	<dd>The WG may coordinate with Web Platform WG around API design.</dd>
+        </dl>
+
+        <h3>Outside Groups</h3>
+    <dt><a href="https://whatwg.org/">Web Hypertext Application Technology Working Group (WHATWG)</a></dt>
+    <dd>Specifications such as CSP provide inputs into the algorithms defined by, e.g. the
+        Fetch specification and portions of CSP and Mixed Content may be defined in terms of
+        Fetch.</dd>
+    </dl>
+
+  </div>
+  
+    <div class="participation">
+      <h2 id="participation">Participation</h2>
+
+      
+
+      <p>To be successful, the Web Application Security Working Group is
+      expected to have 10 active participants for its duration. Effective
+      participation to Web Application Security Working Group is expected to
+      consume one day per week for chairs and editors. The Web Application
+      Security Working Group will allocate also the necessary resources for
+      building Test Suites for each specification.</p>
+
+      
+
+      
+    </div>
+
+    <div class="communication">
+      <h2 id="communication">Communication</h2>
+
+      
+  <p>This group primarily conducts its work on the public
+  mailing list public-webappsec@w3.org (<a href="http://lists.w3.org/Archives/Public/public-webappsec/">archive</a>).
+  </p>
+      
+      
+      
+
+      <p>Information about the group (deliverables, participants,
+      face-to-face
+      meetings, teleconferences, etc.) is
+      available from the <a href="http://www.w3.org/2011/webappsec/">Web Application Security Working Group home
+      page</a>.</p>
+    </div>
+
+    <div class="decisions">
+      <h2 id="decisions">Decision Policy</h2>
+
+      <p>As explained in the Process Document
+      (<a href="/Consortium/Process/policies#Consensus"
+      shape="rect">section 3.3</a>), this group will seek to make
+      decisions when there is consensus. When the Chair puts a
+      question and observes dissent, after due consideration of
+      different opinions, the Chairs should put a question out for
+      voting within the group (allowing for remote asynchronous
+      participation -- using, for example, email and/or web-based
+      survey techniques) and record a decision, along with any
+      objections. The matter should then be considered resolved unless
+      and until new information becomes available.</p>
+			
+			<p>Any resolution first taken in a
+			face-to-face meeting or teleconference [i.e.,
+			that does not follow a 7 day call for
+			consensus on the mailing list] is to be
+			considered provisional until 5 working days
+			after the publication of the resolution in
+			draft minutes, available from the WG's
+			calendar or home page.  If no objections are
+			raised on the mailing list within that time,
+			the resolution will be considered to have
+			consensus as a resolution of the Working
+			Group.</p>
+
+    </div>
+
+    <div class="patent">
+      <h2 id="patentpolicy">Patent Policy</h2>
+
+      
+        <p>This Working Group operates under
+        the <a href="/Consortium/Patent-Policy-20040205/"
+        shape="rect">W3C Patent Policy</a> (5 February 2004
+        Version). To promote the widest adoption of Web standards, W3C
+        seeks to issue Recommendations that can be implemented,
+        according to this policy, on a Royalty-Free basis.</p>
+      
+
+              <p>For more information about disclosure obligations for
+        this group, please see the <a href="/2004/01/pp-impl/" shape="rect">W3C
+        Patent Policy Implementation</a>.</p>
+      
+    </div>
+
+    
+
+    <h2 id="about">About this Charter</h2>
+
+    <p>This charter for the Web Application Security Working Group has been created according to
+    <a href="/Consortium/Process/groups#GAGeneral" shape="rect">section
+    6.2</a> of the <a href="/Consortium/Process" shape="rect">Process
+    Document</a>.   In the event of a
+    conflict between this document or the provisions of any charter
+    and the W3C Process, the W3C Process shall take precedence.</p>
+
+    <p>Please also see the <a href="@@">previous charter</a> for this group.</p>
+    <hr/>
+
+    <address>
+      Brad Hill, Dan Veditz, Wendy Seltzer &lt;<a href="mailto:wseltzer@w3.org">wseltzer@w3.org</a>&gt;
+    </address>
+
+    <p class="copyright"><a rel="Copyright" href="/Consortium/Legal/ipr-notice#Copyright" shape="rect">Copyright</a>©
+    2015 <a href="/" shape="rect"><acronym title="World Wide Web Consortium">W3C</acronym></a>
+    <sup>®</sup> (<a href="http://www.csail.mit.edu/" shape="rect"><acronym title="Massachusetts Institute of Technology">MIT</acronym></a>,
+    <a href="http://www.ercim.org/" shape="rect"><acronym title="European Research Consortium for Informatics and Mathematics">ERCIM</acronym></a>, <a href="http://www.keio.ac.jp/" shape="rect">Keio</a>, <a href="http://ev.buaa.edu.cn/" shape="rect">Beihang</a>), All Rights
+    Reserved.</p>
+  </div></body></html>

End date	31 December 2018
Confidentiality	Proceedings are + public +
Chairs	Brad Hill, Dan Veditz
Team Contacts + (FTE %: 10)	Wendy Seltzer
Usual Meeting Schedule	Teleconferences: Bi-Weekly + + Face-to-face: 1-2 annually +