Software

This trial-use standard defines a standardized method for the design of quantum algorithms. The defined methods apply to any type of algorithm that can be assimilated into quantum primitives and/or quantum applications. The design of the algorithms is done preceding quantum programming.

Recommendation ITU-T X.1714 describes key combination methods for quantum key distribution network (QKDN) and specifies security requirements for both the key combination and the key supply from QKDN to cryptographic applications.

ISO/IEC TR 30125:2016 provides guidance for developing a consistent and secure method of biometric (either alone or supported by non-biometric) personalization and authentication in a mobile environment for systems procured on the open market.

SARIF TC members are developing an interoperability standard for detecting software defects and vulnerabilities. The goal is to define a common output format for static analysis tools that will make it feasible for developers and teams to view, understand, interact with, and manage the results produced by all their tools.
 
SARIF represents a leap forward in the usability of static analysis tools. Many organizations in the safety and security communities use several competing tools on their code. SARIF will allow them to combine and compare the results more easily to gain a sharper picture of the issues in their code that need to be addressed. Engineering teams will be able to easily access a broad range of potential defects and vulnerabilities in compliance with privacy and accessibility standards. SARIF will support the development of products whose code spans languages and operating systems.

The mission of the Browser Testing and Tools Working Group is to produce technologies for use in testing, debugging, and troubleshooting of Web applications running in Web browsers.
 
The scope of the Browser Testing and Tools Working Group includes protocols and APIs for the purpose of automating testing of Web applications running in browsers—for example, to simulate user actions such as clicking links, entering text, and submitting forms.

The mission of the Immersive Web Working Group is to help bring high-performance Virtual Reality (VR) and Augmented Reality (AR) (collectively known as XR) to the open Web via APIs to interact with XR devices and sensors in browsers.
 
The Immersive Web Working Group will develop standardized APIs to provide access to input and output capabilities commonly associated with XR hardware such as Google’s Daydream, the Oculus Rift, the Samsung GearVR, the HTC Vive, and Windows Mixed Reality headsets and sensors as well as mobile handheld devices and standalone headsets such as the Oculus Go. The WG will develop APIs to enable the creation of XR web experiences that are embeddable in the Web of today, enabling progressive enhancement of existing sites.
 
The scope of the Immersive Web Working Group charter is to define APIs which:

• Detect available XR devices and sensors.
• Query XR devices for device-specific capabilities.
• Receive updated information about the device's position and orientation over time.
• Receive updated information about the device's environment.
• Present imagery to the device at the device's native frame rate, using the device’s position and orientation over time to provide an immersive experience.
• Provide information about XR-specific input, including tracked controller state and hand gesture.
• For augmenting reality on devices which support AR, enable XR sessions that provide real-world display, and provide the ability to hit-test surfaces in the real world.

The mission of the Media Working Group is to develop and improve client-side media processing and playback features on the Web.
 
Standardization efforts to develop media foundations for the Web, such as the HTMLMediaElement interface and Media Source Extensions, have helped turn the Web into a major platform for media streaming and media consumption. Building on the experience gained through implementation, deployment and usage of these technologies, and on incubation discussions within the Web Platform Incubator Community Group, the Media Working Group will extend media foundations with new standardized technologies to improve the overall media playback experience on the Web.
 
The scope of the Media Working Group is:

• Detection of media capabilities
• Detection of the autoplay policy
• Statistics on perceived playback quality
• Generation of media streams for playback
• Playback of encrypted content
• Exposure of media features at the system level to Web applications (e.g. access to platform media keys, display of media metadata at the system level, creation of an always-on-top video window) to Web applications
• Exposure of metadata event tracks synchronized to audio or video media

The mission of the Scalable Vector Graphics (SVG) Working Group is to develop and maintain SVG.
 
Scalable Vector Graphics (SVG) is a language that allows authors and users to describe graphics in a way which is scalable to different device resolutions, acessible, and animatable.
 
The SVG WG develops the SVG specifications. They consist of the following, somewhat independent technologies, all of which are in scope for the SVG Working Group:

• A syntax for retained-model structured graphics. Both XML and HTML5 syntaxes are suported. Styling characteristics are CSS properties, expressed as stylesheets or as presentation attributes.
• A rendering model which describes how the elements of SVG produce a graphical representation
• An Object Model, a set of standard APIs, to which libraries can be written for manipulating dynamic and responsive graphics.

As a primary focus in this charter period, the group will concentrate on the stabilization and interoperability testing of the core SVG 2 specification. As part of that testing, features which are in the reference draft of SVG2 and which do not meet the stability and interoperability requirements for a Proposed Recommendation may be moved to separate specification modules, work on which would remain in scope, but at a lower priority.
 
As a secondary focus, the group may address modules for new graphical features for SVG, once there is broad consensus on adding each such feature to the Web Platform. The SVG Community Group (and also any other fora, such as WICG) will incubate new proposals. Once an incubated proposal is implemented and available (in nightly or testing builds) in at least one major browser, and has support from other SVG implementers, it may be adopted by the SVG Working Group. A requirements document will be used to collect together these features.

The mission of the Web Application Security Working Group is to develop security and policy mechanisms to improve the security of Web Applications, and enable secure cross-site communication.
 
Modern Web Applications are composed of many parts and technologies. They may transclude, reference or have information flows between resources at the same, related or different origins. Due to the historically coarse-grained nature of the security boundaries and principals defined for such applications, they can be very difficult to secure.
 
In particular, application authors desire uniform policy mechanisms to allow application components to drop privileges and reduce the chance they will be exploited, or that exploits will compromise other content, to isolate themselves from vulnerabilities in content that might otherwise be within the same security boundaries, and to communicate securely across security boundaries. These issues are especially relevant for the many web applications which incorporate other web application resources (mashups). That is, they comprise multiple origins (i.e., security principals).
 
Areas of scope for this working group include:
 
Vulnerability Mitigation

• Vulnerabilities are inevitable in sufficiently complex applications. The WG will work on mechanisms to reduce the scope, exploitability and impact of common vulnerabilities and vulnerability classes in web applications, especially script injection / XSS.

Attack Surface Reduction
 
The WG will design mechanisms to:

• Allow applications to restrict or forbid potentially dangerous features which they do not intend to use
• Govern information and content flows into and out of an application
• Allow applications to isolate themselves from other content which may contain unrelated vulnerabilities
• Sandbox potentially untrusted content and allow it to be interacted with more safely
• Uniquely identify application content such that unauthorized modifications may be detected and prevented
• Replace or augment injection-prone APIs in the browser with safer alternatives using strategies such as sanitization, strict contextual autoescaping, and other validation and encoding strategies currently employed by server-side code.

Secure Mashups
 
Several mechanisms for secure resource sharing and messaging across origins exist or are being specified, but several common and desirable use cases are not covered by existing work, such as:

• Allowing child IFRAMEs to protect themselves from "clickjacking"
• Providing labeled information flows and confinement properties to enable secure mashups. This is especially relevant for, e.g. applications communicating between security principals with different user-granted permissions (e.g. geolocation)

Manageability
 
Given the ad-hoc nature in which many important security features of the Web have evolved, providing uniformly secure experiences to users is difficult for developers. The WG will document and create uniform experiences for several undefined areas of major utility, including:

• Treatment of Mixed HTTPS/HTTP Content and defining Secure/Authenticated Origins for purposes of user experience, content inclusion/transclusion and other information flows, and for features which require a verifiably secure environment
• Providing hinting and direct support for credential managers, whether integrated into the user-agent or 3rd-party, to assist users in managing the complexities of secure passwords
• Application awareness of features which may require explicit user permission to enable.

The Web Security Model
 
The WG may be called on to advise other WGs or the TAG on the fundamental security model of the Web Platform and may produce Recommendations towards the advancement of, or addressing legacy issues with, the model, such as mitigating cross-origin data leaks or side channel attacks.
 
In addition to developing Recommendation Track documents in support of these goals, the Web Application Security Working Group may provide review of specifications from other Working Groups, in particular as these specifications touch on chartered deliverables of this group (in particular CSP), or the Web security model, and may also develop non-normative documents in support of Web security, such as developer and user guides for its normative specifications.

The mission of the Web Applications Working Group (WebApps WG) is to produce specifications that facilitate the development of client-side web applications.
 
The scope of the WebApps Working Group is:

• Haptic input devices and their emitted events and/or data.
• Textual input and text manipulation.
• Data sharing across remote and local web applications.
• Receiving and acting upon data from remote sources.
• Accessing the file system and persistent storage.
• Interfacing with OS capabilities.
• Integrating web applications with the OS.

The working group also maintains a specification for mapping HTML elements and attributes to platform accessibility APIs, and a separate specification that defines author conformance requirements for setting ARIA attributes. The Working Group does not expect to add any other specifications relating to this matter.
 
Specifications produced by the WebApps Working Group enable developers to create web applications that work across a wide range of platforms and devices, and for a broad diversity of users, by addressing matters of accessibility, device independence, internationalization, privacy, and security.

The mission of the Web Authentication Working Group, in the Security Activity is to define a client-side API providing strong authentication functionality to Web Applications.
 
The Working Group will determine use cases that the API needs to support and use these to derive requirements. Success will be determined by the implementation of API features as defined in this section of the charter.
 
API Features in scope are: (1) Requesting generation of an asymmetric key pair within a specific scope (e.g., an origin); (2) Proving that the browser has possession of a specific private key, where the proof can only be done within the scope of the key pair. In other words, authentication should obey the same origin policy.
 
Dependencies exist on the Credential Management API in the W3C Web Application Security Working Group along with the Client To Authenticator Protocol specification in FIDO.
 
Note that the details of any user experience (such as prompts) will not be normatively specified, although they may be informatively specified for certain function calls.
 
The Web Authentication Working Group should aim to produce specifications that have wide deployment and should adopt, refine and when needed, extend, existing practices and community-driven draft specifications when possible. The APIs should integrate well with Web Applications and so should be developed in concert with Web Application developers and reviewed by the Web Application Security and Web Applications Working Groups.
 
Comprehensive test suites should be developed for the specification to ensure interoperability. User-centric privacy considerations of device management and credentials should be taken into account. The Working Group may produce protocol standards as needed by the API.

The mission of the Web Fonts Working Group is to develop specifications that allow the interoperable deployment of downloadable fonts on the Web.
 
The Web Fonts WG will develop Recommendation-track specifications as listed under deliverables; track emerging implementations, and maintain communications with the typography, Web design and implementor communities.