Closed mikewest closed 3 years ago
Approved
OK, the document is now staged at https://www.w3.org/TR/2021/WD-post-spectre-webdev-20210316/ and the W3C will publish/announce it on March 16 — at which time, the https://www.w3.org/TR/post-spectre-webdev/ URL will begin working.
Document title, URLs, estimated publication date
Title: Post-Spectre Web Development URL: https://w3c.github.io/webappsec-post-spectre-webdev/fpwd.html Date: Soon?
Abstract
Post-Spectre, we need to adopt some new strategies for safe and secure web development. This document outlines a threat model we can share, and a set of mitigation recommendations.
TL;DR: Your data must not unexpectedly enter an attacker’s process.
Status
This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the latest revision of this technical report can be found in the W3C technical reports index at https://www.w3.org/TR/.
This document was published by the Web Application Security Working Group as a Working Draft. This document is intended to become a W3C Note.
The (archived) public mailing list public-webappsec@w3.org (see instructions) is preferred for discussion of this specification. When sending e-mail, please put the text “post-spectre-webdev” in the subject, preferably like this: “[post-spectre-webdev] …summary of comment…”
This document is a First Public Working Draft.
Publication as a First Public Working Draft does not imply endorsement by the W3C Membership. This is a draft document and may be updated, replaced or obsoleted by other documents at any time. It is inappropriate to cite this document as other than work in progress.
This document was produced by the Web Application Security Working Group.
This document was produced by a group operating under the W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.
This document is governed by the 15 September 2020 W3C Process Document.
Is it a delta specification intended to become a W3C Recommendation?
No. This is intended to become a NOTE after some iteration.
Link to group's decision to request transition
https://lists.w3.org/Archives/Public/public-webappsec/2021Mar/0014.html
Information about implementations known to the Working Group
Chromium, Gecko, and WebKit all implement some or all of the mitigations recommended in this document.
/cc @dveditz @wseltzer @samuelweiler to verify that I'm holding this form right.