index.html

<!DOCTYPE HTML>
<!-- To report issues with this page, mail public-webappsec@w3.org -->
<html>
<head>
    <meta http-equiv="Content-Security-Policy"
          content="default-src none; img-src https://www.w3.org https://calendar.google.com https://www.google.com; style-src 'self'; frame-src https://*.google.com; child-src https://*.google.com; form-action https://www.w3.org;">
    <!--
        Chrome mobile on iOS uses internal XHR to do things like checking the phishing url database, so you
        trigger a spoof warning if you don't have this connect-src rule for a meta-tag. (header processing
        has a workaround, it seems) OK here since there is no XHR anywhere in this resource anyway
    -->
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>W3C Web Application Security Working Group</title>
    <link href="homepage/Overview.css" rel="stylesheet" type="text/css"></link>
</head>
<body>

<div id="headline" class="major">
        <h1>Web Application Security Working Group</h1>
</div>

<div id="calendar" class="major">
    <h2>Calendar of Events</h2>
    <div id="touchFix">
       <iframe id="calendarEmbed" src="https://www.google.com/calendar/embed?showPrint=0&amp;showTabs=0&amp;showCalendars=0&amp;mode=AGENDA&amp;height=600&amp;wkst=1&amp;bgcolor=%23FFFFFF&amp;src=t9f490hl8m6gj6ui3j5sao4938%40group.calendar.google.com&amp;color=%238C500B&amp;ctz=America%2FLos_Angeles" width="100%" frameborder="no"></iframe>
    </div>
    <div class="note">
    Subscribe: <a href="https://www.google.com/calendar/feeds/t9f490hl8m6gj6ui3j5sao4938%40group.calendar.google.com/public/basic"><img src="https://www.google.com/calendar/images/xml.gif"></a>&nbsp;<a href="https://www.google.com/calendar/ical/t9f490hl8m6gj6ui3j5sao4938%40group.calendar.google.com/public/basic.ics"><img src="https://www.google.com/calendar/images/ical.gif"></a>&nbsp;<a href="https://www.google.com/calendar/embed?src=t9f490hl8m6gj6ui3j5sao4938%40group.calendar.google.com&amp;ctz=America/Los_Angeles"><img src="https://www.google.com/calendar/images/html.gif"></a>
    </div>
</div>

<div id="mission" class="major">
    <h2>Mission</h2>
    <p>As stated in its
    <a href="https://www.w3.org/2011/webappsec/charter-2017.html">charter</a>, the
    mission of the Web Application Security Working Group is to develop technical
    and policy mechanisms to improve the security of and enable secure cross-site
    communications for applications on the Web.
    </p>
</div>

<div id="mailingList" class="major">
    <h2>Mailing List</h2>
    <p>The group's primary work mode is via discussion on a public mailing list:
    <a href="mailto:public-webappse@w3.org">public-webappsec@w3.org</a> |
    <a href="mailto:public-webappsec-request@w3.org?subject=subscribe">Subscribe</a> |
    <a href="https://lists.w3.org/Archives/Public/public-webappsec/">List Archives</a></p>

    <p>
    <form method="get" action="https://www.w3.org/Search/Mail/Public/search">
    <p>Search the archive <input name="type-index" value="public-webappsec" type="hidden">
    <input name="index-type" value="t" type="hidden">
    <input size="30" name="keywords" maxlength="100" value="" type="text">
    <input value="Search" name="search" type="submit">
    </p>
    </form>
    </p>
</div>

<div id="teleconference" class="major">
    <h2>Teleconferences</h2>
    <p>WebAppSec conducts a one hour, members-only teleconference every two weeks.
    See the calendar of events for the most current dates and times and dial-in details.</p>

    <p>Participants in the teleconference are encouraged to please also
        join the <a href="irc://irc.w3.org:6665/webappsec">#webappsec channel</a>
        during the call. Connect to
        irc.w3.org:6665 with your favorite IRC client or use the
        <a href="http://irc.w3.org/?channels=#webappsec">web interface</a>.</p>

    <p>Minutes for teleconferences and face-to-face meeetings are <a href="Minutes.html">archived here</a>.</p>

</div>

<div id="tracking" class="major">
    <h2>Bugs, Issues &amp; Actions</h2>
    <p>Please use the <a href="https://github.com/w3c/WebAppSec">WG's GitHub repo</a>
    or the GitHub issues link in each spec to manage spec text bugs and pull requests.
        (technical issues and feature requests must go through
        the public mailing list first)</p>
</div>

<div id="normative" class="major">
  <h2>Recommendation-Track Drafts</h2>
        <table>
  <tbody id="user-content-complete">
    <tr>
      <th>Complete</th>
      <th>ED</th>
      <th>TR</th>
    </tr>
    <tr>
      <td>Content Security Policy Level 1</td>
      <td></td>
      <td><a href="http://w3.org/TR/CSP1/" rel="nofollow">NOTE: /TR/CSP1</a></td>
    </tr>
        <tr>
      <td>Subresource Integrity</td>
      <td><a href="https://w3c.github.io/webappsec-subresource-integrity/" rel="nofollow">webappsec-subresource-integrity</a></td>
      <td><a href="http://w3.org/TR/SRI/" rel="nofollow">REC: /TR/SRI/</a></td>
    </tr>
     <tr>
      <td>Content Security Policy Level 2</td>
      <td><a href="https://w3c.github.io/webappsec-csp/2/" rel="nofollow">webappsec-csp</a></td>
      <td><a href="http://w3.org/TR/CSP2/" rel="nofollow">REC: /TR/CSP2</a></td>
    </tr>
  </tbody>
  <tbody id="user-content-stable"><tr><th>Stable</th>
      <th>ED</th>
      <th>TR</th>
    </tr>
       <tr>
      <td>Mixed Content</td>
      <td><a href="https://w3c.github.io/webappsec-mixed-content/" rel="nofollow">webappsec-mixed-content</a></td>
      <td><a href="http://w3.org/TR/mixed-content/" rel="nofollow">CR: /TR/mixed-content/</a></td>
    </tr>
    <tr>
      <td>Upgrade Insecure Requests</td>
      <td><a href="https://w3c.github.io/webappsec-upgrade-insecure-requests/" rel="nofollow">webappsec-upgrade-insecure-requests</a></td>
      <td><a href="http://w3.org/TR/upgrade-insecure-requests/" rel="nofollow">WD: /TR/upgrade-insecure-requests/</a></td>
    </tr>
        <tr>
      <td>Secure Contexts</td>
      <td><a href="https://w3c.github.io/webappsec-secure-contexts/" rel="nofollow">webappsec-secure-contexts</a></td>
      <td><a href="http://w3.org/TR/powerful-features/" rel="nofollow">CR: /TR/powerful-features/</a></td>
    </tr>
        <tr>
      <td>Referrer Policy</td>
      <td><a href="https://w3c.github.io/webappsec-referrer-policy/" rel="nofollow">webappsec-referrer-policy</a></td>
      <td><a href="http://w3.org/TR/referrer-policy/" rel="nofollow">CR: /TR/referrer-policy/</a></td>
    </tr>
  </tbody>
  <tbody id="user-content-stabilizing">
    <tr>
      <th>Stabilizing</th>
      <th>ED</th>
      <th>TR</th>
    </tr>
    <tr>
      <td>Credential Management Level 1</td>
      <td><a href="https://w3c.github.io/webappsec-credential-management/" rel="nofollow">webappsec-credential-management</a></td>
      <td><a href="http://w3.org/TR/credential-management/" rel="nofollow">WD: /TR/credential-management/</a></td>
    </tr>
    <tr>
      <td>Permissions API</td>
      <td><a href="https://w3c.github.io/permissions/" rel="nofollow">permissions</a></td>
      <td><a href="http://w3.org/TR/permissions/" rel="nofollow">FPWD: /TR/permissions/</a></td>
    </tr>
   <tr>
      <td>Content Security Policy Level 3</td>
      <td><a href="https://w3c.github.io/webappsec-csp/2/" rel="nofollow">webappsec-csp</a></td>
      <td><a href="http://w3.org/TR/CSP2/" rel="nofollow">WD: /TR/CSP</a></td>
    </tr>
  </tbody>
  <tbody id="user-content-wip">
    <tr>
      <th>Works in Progress</th>
      <th>ED</th>
      <th>TR</th>
    </tr>
    <tr>
      <td>Clear Site Data</td>
      <td><a href="https://w3c.github.io/webappsec-clear-site-data/" rel="nofollow">webappsec-clear-site-data</a></td>
      <td><a href="http://w3.org/TR/clear-site-data/" rel="nofollow">FPWD: /TR/clear-site-data/</a></td>
    </tr>
    <tr>
      <td>Confinement with Origin Web Labels</td>
      <td><a href="https://w3c.github.io/webappsec-cowl/" rel="nofollow">webappsec-cowl</a></td>
      <td><a href="http://w3.org/TR/cowl/" rel="nofollow">FPWD: /TR/cowl/</a></td>
    </tr>
    <tr>
      <td>CSP Pinning</td>
      <td><a href="https://w3c.github.io/webappsec-csp/pinning/" rel="nofollow">webappsec-csp</a></td>
      <td><a href="http://w3.org/TR/csp-pinning/" rel="nofollow">FPWD: /TR/csp-pinning/</a></td>
    </tr>
    <tr>
      <td>Entry Point Regulation</td>
      <td><a href="https://w3c.github.io/webappsec-epr/" rel="nofollow">webappsec-epr</a></td>
      <td><a href="http://w3.org/TR/epr/" rel="nofollow">FPWD: /TR/epr/</a></td>
    </tr>
  </tbody>
</table>
<!--
    <div class="spec">
        <div class="specTitle"><a href="https://w3c.github.io/webappsec-csp/">Content Security Policy Level 3</a></div>
        <div class="specStatus narrowBlockDisplay">Working Draft</div>
        <div class="specDate narrowBlockDisplay">13-September-2016</div>
        <div class="specEditors narrowBlockDisplay">Mike West</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/UISecurity/">User Interface Security Directives for Content Security Policy</a></div>
        <div class="specStatus narrowBlockDisplay">Working Draft</div>
        <div class="specDate narrowBlockDisplay">07-June-2016</div>
        <div class="specEditors narrowBlockDisplay">Brad Hill</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

       <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/SRI/">Subresource Integrity Level 2</a></div>
        <div class="specStatus narrowBlockDisplay">Editor's Draft</div>
        <div class="specDate narrowBlockDisplay">13-July-2016</div>
        <div class="specEditors narrowBlockDisplay">Frederik Braun, Devdatta Akhawe, Joel Weinberger, Francois Marier,Mike West</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/referrer-policy/">Referrer Policy</a></div>
        <div class="specStatus narrowBlockDisplay">Candidate Recommendation</div>
        <div class="specDate narrowBlockDisplay">26-January-2017</div>
        <div class="specEditors narrowBlockDisplay">Jochen Eisinger, Emily Stark</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/mixed-content/">Mixed Content</a></div>
        <div class="specStatus narrowBlockDisplay">Candidate Recommendation</div>
        <div class="specDate narrowBlockDisplay">02-August-2016</div>
        <div class="specEditors narrowBlockDisplay">Mike West</div>
        <div class="testCoordinators narrowBlockDisplay">Kristijan Burnik</div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/secure-contexts/">Secure Contexts</a></div>
        <div class="specStatus narrowBlockDisplay">Candidate Recommendation</div>
        <div class="specDate narrowBlockDisplay">15-September-2016</div>
        <div class="specEditors narrowBlockDisplay">Mike West</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/upgrade-insecure-requests/">Upgrade Insecure Requests</a></div>
        <div class="specStatus narrowBlockDisplay">Candidate Recommendation</div>
        <div class="specDate narrowBlockDisplay">08-October-2015</div>
        <div class="specEditors narrowBlockDisplay">Mike West</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="ghttps://w3c.github.io/permissions/">The Permissions API</a></div>
        <div class="specStatus narrowBlockDisplay">First Public Working Draft</div>
        <div class="specDate narrowBlockDisplay">07-April-2015</div>
        <div class="specEditors narrowBlockDisplay">Mounir Lamouri, Marcos Cáceres</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://w3c.github.io/webappsec-credential-management/">Credential Management Level 1</a></div>
        <div class="specStatus narrowBlockDisplay">Working Draft</div>
        <div class="specDate narrowBlockDisplay">25-April-2016</div>
        <div class="specEditors narrowBlockDisplay">Mike West</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://w3c.github.io/webappsec-clear-site-data/">Clear Site Data</a></div>
        <div class="specStatus narrowBlockDisplay">Working Draft</div>
        <div class="specDate narrowBlockDisplay">20-July-2016</div>
        <div class="specEditors narrowBlockDisplay">Mike West</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://w3c.github.io/webappsec-cowl/">Confinement with Origin Web Labels (COWL)</a></div>
        <div class="specStatus narrowBlockDisplay">First Public Working Draft</div>
        <div class="specDate narrowBlockDisplay">15-October-2015</div>
        <div class="specEditors narrowBlockDisplay">Deian Stefan</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://w3c.github.io/webappsec-csp/embedded/">Content Security Policy: Embedded Enforcement</a></div>
        <div class="specStatus narrowBlockDisplay">First Public Working Draft</div>
        <div class="specDate narrowBlockDisplay">15-December-2015</div>
        <div class="specEditors narrowBlockDisplay">Mike West</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>
-->
</div>

<div id="normativeComplete" class="major">
    <h2>W3C Recommendations</h2>


    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/CSP2/">Content Security Policy Level 2</a></div>
        <div class="specStatus narrowBlockDisplay">Recommendation</div>
        <div class="specDate narrowBlockDisplay">15-December-2016</div>
        <div class="specEditors narrowBlockDisplay">Mike West, Dan Veditz, Adam Barth</div>
        <div class="testCoordinators narrowBlockDisplay">Mike West, Brad Hill</div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/CORS/">Cross-Origin Resource Sharing</a></div>
        <div class="specStatus narrowBlockDisplay">Recommendation</div>
        <div class="specDate narrowBlockDisplay">16-January-2014</div>
        <div class="specEditors narrowBlockDisplay">Anne van Kesteren</div>
        <div class="specRemarks narrowBlockDisplay">Joint publication with <a href="https://www.w3.org/2008/webapps/">WebApps WG</a>.  Succeeded by: <a href="https://fetch.spec.whatwg.org/#http-cors-protocol">https://fetch.spec.whatwg.org/#http-cors-protocol</a> </div>
    </div>

       <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/SRI/">Subresource Integrity</a></div>
        <div class="specStatus narrowBlockDisplay">Recommendation</div>
        <div class="specDate narrowBlockDisplay">23-June-2016</div>
        <div class="specEditors narrowBlockDisplay">Frederik Braun, Devdatta Akhawe, Joel Weinberger, Francois Marier,Mike West</div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

</div>


<div id="nonNormative" class="major">
    <h2>Non-Recommendation-Track Documents</h2>

    <div class="spec">
        <div class="specTitle"><a href="https://w3c.github.io/webappsec-cors-for-developers/">CORS for Developers</a></div>
        <div class="specStatus narrowBlockDisplay">(Proposed) Working Group Note</div>
        <div class="specDate narrowBlockDisplay">15-October-2016</div>
        <div class="specEditors narrowBlockDisplay">Brad Hill</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/CSP1/">Content Security Policy 1.0</a></div>
        <div class="specStatus narrowBlockDisplay">Working Group Note (deprecated)</div>
        <div class="specDate narrowBlockDisplay">19-February-2015</div>
        <div class="specEditors narrowBlockDisplay">Brandon Sterne, Adam Barth</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay">Succeeded by Content Security Policy Level 2</div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/2010/WD-UMP-20100126/">Uniform Messaging Policy, Level One</a></div>
        <div class="specStatus narrowBlockDisplay">Working Group Note</div>
        <div class="specDate narrowBlockDisplay">26-January-2010</div>
        <div class="specEditors narrowBlockDisplay">Tyler Close, Mark Miller</div>
        <div class="specRemarks narrowBlockDisplay">Input document for Cross-Origin Resource Sharing from <a href="https://www.w3.org/2008/webapps/">WebApps WG</a></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/2001/tag/2011/02/security-web.html">Security On the Web</a></div>
        <div class="specStatus narrowBlockDisplay">No offical status</div>
        <div class="specDate narrowBlockDisplay">04-February-2011</div>
        <div class="specEditors narrowBlockDisplay">John Kemp</div>
        <div class="specRemarks narrowBlockDisplay">Input and reference document</div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/csp-pinning/">Content Security Policy Pinning</a></div>
        <div class="specStatus narrowBlockDisplay">Working Group Note (deprecated)</div>
        <div class="specDate narrowBlockDisplay">13-September-2016</div>
        <div class="specEditors narrowBlockDisplay">Mike West</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/epr/">Entry Point Regulation</a></div>
        <div class="specStatus narrowBlockDisplay">Working Group Note (deprecated)</div>
        <div class="specDate narrowBlockDisplay">13-September-2016</div>
        <div class="specEditors narrowBlockDisplay">David Ross, Mike West</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

    <div class="spec">
        <div class="specTitle"><a href="https://www.w3.org/TR/csp-cookies/">Content Security Policy: Cookie Controls</a></div>
        <div class="specStatus narrowBlockDisplay">Working Group Note (deprecated)</div>
        <div class="specDate narrowBlockDisplay">16-September-2016</div>
        <div class="specEditors narrowBlockDisplay">Mike West</div>
        <div class="testCoordinators narrowBlockDisplay"></div>
        <div class="specRemarks narrowBlockDisplay"></div>
    </div>

</div>

<div id="administrative" class="major">
    <h2>Administrative</h2>

    <h3>Charter</h3>
    <p>The WebAppSec Working Group operates under a
        <a href="https://www.w3.org/2011/webappsec/charter-2017.html">charter</a>
        approved on 22 March 2017.</p>

    <h3>Patent Disclosures</h3>
    <p>The W3C maintains a <a rel="disclosure"
        href="https://www.w3.org/2004/01/pp-impl/49309/status">public list of any patent
        disclosures</a> made in connection with the deliverables of the group; that
        page also includes instructions for disclosing a patent.</p>

    <h3>Chairs</h3>
    <p>Daniel Veditz (Mozilla) and Mike West (Google)</p>

    <h3>W3C Team Contacts</h3>
    <p>Wendy Seltzer and Samuel Weiler</p>

    <h3>Membership</h3>
    <p>(W3C Member-Only) See
        <a href="https://www.w3.org/2000/09/dbwg/details?group=49309">DBWG</a>
        and <a href="https://www.w3.org/2004/01/pp-impl/49309/status">IPP</a>
        for a list of WG participants.</p>
    <p><a href="https://www.w3.org/2004/01/pp-impl/49309/join">Join</a> the group.</p>

    <h3>Liasons with Other Groups</h3>
        <p>Members and the public interested in this WG's work may also want to
            follow the <a href="http://w3.org/">W3C</a>
            <a href="https://www.w3.org/Security/wiki/IG">
            Web Security Interest Group</a> and
            <a href="https://www.w3.org/webauthn">
            Web Authentication Working Group</a>
            as well as the <a href="https://tools.ietf.org/wg/websec/">
            Websec Working Group</a> at the <a href="http://ietf.org/">IETF</a>.</p>
</div>

</body>
<html>