|
|
| CARVIEW |
Photo by Annie Spratt on Unsplash
Continuing the series that puts the emphasis on the key areas that help ensure that the Web works, for everyone, this month I am diving into Web security. It is one of the key areas that we call “horizontals” and that shape every W3C work package because they involve approaches that are common to all work groups. Our horizontals are Web accessibility, internationalization, security and privacy.
The imperative
Creating a more trustworthy web and protecting user privacy is fundamental to creating a web that works, for everyone.
Privacy, along with Security, are integral to human rights and civil liberties, and are essential to the success of the web platform. Today, so many of the features of the web and its usage involve information about people and their communications that privacy must be considered consistently across the design of the entire platform. The human factors and the sociotechnical aspects add additional complexity.
To affirmatively realize the privacy of people using the web and address privacy threats that have already arisen requires us to operate in an interdisciplinary and global space, and to develop dedicated privacy features.
How W3C approaches privacy on the web
Following the mid-2000s W3C work on Platform for Privacy Preferences (P3P), the W3C Team in 2011 identified the need to strengthen the foundations of trust on the web for communities large and small to access and share data, and made it an area of focus in 2011. The evolution then trended toward significantly more intense collection, processing, and publication of personal data.
We follow a recipe that is simple but which details are of importance:
- Review the privacy of web standards
- Advise W3C groups developing standards to mitigate privacy issues
- Develop some private technology standards
Horizontal reviews are conducted for privacy of proposals and specifications under development by other W3C Working Groups and Community Groups, and of charters for other W3C groups. Related to that is advising groups developing standards on how to avoid and mitigate privacy issues with web technologies.
The other main component is the standardization of new technical mechanisms that improve privacy on the web, including work moving from incubation when there is a basic technical design, significant implementer interest and activity.
The W3C Privacy Working Group undertakes the former and a lot of the latter. The rest of the privacy-focused features specific to technical work covered by another Working Group are typically best developed in those Working Groups, alongside related technical features.
In focus: Global Privacy Control, Private Advertising
Global Privacy Control (GPC) defines a signal, transmitted over HTTP and through the DOM, that conveys a person's request to websites and services to not sell or share their personal information with third parties. This standard is intended to work with existing and upcoming legal frameworks that render such requests enforceable.
W3C launched the Private Advertising Working Group
in late 2024, motivated by the Ethical Web Principles W3C Statement, to specify web features and APIs that support advertising while acting in the interests of users, in particular providing strong privacy assurances using predominantly technical means.
If you wish to know more about ongoing work, I suggest you take 8 minutes to watch the Privacy talk my colleague Tara Whalen, W3C Privacy Lead, gave early April 2025.
W3C Statement: Privacy Principles
The Privacy Principles were elevated in May 2025 to W3C Statement, which means that although the document is informative and not a formal standard in nature, it creates a stable reference that has received formal review and endorsement from W3C Members.
The document provides definitions for privacy that are applicable worldwide as well as a set of privacy principles that aim to guide the development of the web as a trustworthy platform.
You can read more in Tara Whalen’s blog post on the W3C Statement: New Privacy Principles for a more trustworthy web.
"Privacy" by Rob Pongsajapan, licensed under CC BY 2.0
Protecting user privacy is fundamental to creating a web that works for everyone. Last week, W3C published its Statement on Privacy Principles, in support of furthering this goal. This document defines some foundational privacy concepts and provides a set of privacy principles to guide web development. We hope this guide will enhance the community’s understanding of privacy, illustrate ways of realizing it in practice, and inspire a vision of the trustworthy web that we can create and sustain together.
Last December, W3C published its first ever Statement, on Ethical Web Principles. The Privacy Principles Statement continues this series, focusing specifically on the considerations required for creating a web that respects people’s privacy. This milestone is significant: W3C Statements are documents that have been formally reviewed and endorsed by W3C's membership as a whole. The Privacy Principles document was developed over three years and incorporated feedback and contributions from the W3C community, and is now accepted as a W3C Statement to indicate our collective stance on the fundamental importance of web privacy and how to achieve it in practice.
I first started working on privacy with W3C in 2012 (as one of the original co-chairs of the Privacy Interest Group) and I have seen first-hand how users’ online privacy has evolved over the years, both in terms of new opportunities as well as new challenges. During this time, a lot of helpful privacy material has been produced, such as a guide on mitigating browser fingerprinting (to reduce the risk of user tracking) and a questionnaire to assist specification authors and reviewers in improving the level of privacy and security of their designs. The Privacy Principles Statement complements this body of work by providing a more general document that includes core privacy concepts as well as overarching guidance that ensures privacy is built into the foundations of web technologies.
Privacy is a very broad topic. In order to reason about privacy on the web, and therefore provide actionable guidance, it’s first necessary to define what we mean by privacy in the context of the web. That’s why this document begins with an introduction to privacy on the web, covering topics like data governance, individual autonomy, deceptive patterns, consent, opt-out and privacy labor, as well as the role that browsers (user agents) play in safeguarding web users. This provides context for the actionable principles, each of which is marked with the audiences that it's most relevant to: websites, user agents or API (web technology) designers.
It’s also important to consider how web technologies interact with social and policy aspects in the privacy realm. The regulatory environment, for example, is constantly evolving and has significant implications for the data protection of users around the world. One of the goals of the Privacy Principles Statement is to support online privacy regulations; the document is written to address both technological and policy considerations and hopefully help achieve some alignment between different regulatory regimes. Because the discussions around online data can sometimes become complex, the document includes several short, concrete examples to illustrate privacy risks and possible mitigations – for example, handling geolocation information or managing children’s services.
It’s taken a lot of work from many members of the W3C community to get these Privacy Principles to this stage, and I want to acknowledge their hard work and dedication. This document is the result of sustained effort by the Privacy Principles Task Force (a group representing a wide range of web stakeholders, convened by the W3C Technical Architecture Group), with particular credit to its Chair Daniel Appelquist and to the document editors, Robin Berjon and Jeffrey Yasskin. Additional thanks are due to all of the people who constructively engaged in discussions about web privacy–some of them over several years!–that were instrumental in producing a Statement that accurately reflects our collective privacy vision for the web.
While we’re taking a moment to celebrate the publication of this document, we acknowledge that the work is far from over. We’re eager to hear feedback about the Privacy Principles, which we can use to improve and expand our future documentation. And of course we encourage you to put the principles into practice as we build a better web!
The Publishing Maintenance Working Group (PMWG) is pleased to announce the final update of the W3C Recommendation for EPUB® 3.3.
The publishing community has thoroughly tested these Recommendations. When presented for publication, support was unanimous among responding W3C Members. It is encouraging that several reviewers indicated that they produce or plan to produce products that use this specification.
Corrections made to EPUB Recommendations
This update introduces no new features. The changes clarify the language and bring it in line with related specifications. The PMWG reports:
- We fixed the epub:type attribute not allowed on links in SVG;
- We clarified the requirements for SVG embedded by inclusion and by reference; and
- We fixed our white space definition for the fixed layout viewport meta tag. This disallowed form feed, avoiding potential rendering issues.
What’s next for EPUB3?
The PMWG’s work continues with the next major revision to the EPUB 3 family of Recommendations. This upcoming version will add new normative features to the specifications. For more information, please refer to the Publishing Maintenance Working Group Charter.
The WG will take on these tasks:
- Ensuring a good experience when reading in dark mode
- Considering adding support for HTML in the EPUB package, and
- Standardizing practices for content like footnotes & endnotes.
New Task Forces: Digital Comics, and EPUB Annotations
The Digital Comics Task Force will explore how EPUB can better support comics creators and readers. This would include webtoons, manga, graphic novels, and similar content. Digital comics are often read as a continuous scroll on mobile devices. They are not usually separated into pages like a typical ebook. The TF will develop scrolling specifications for both ebook producers and ebook reading systems. Another important feature of manga and webtoons is serialization. Digital comics need new metadata so that people can find the next installment of their favorite manga.
Currently, people can annotate EPUBs within a reading system. But the annotation remains with the platform, not the publication. There are use cases for annotations stored within an EPUB package. Researchers could access their notes from multiple devices, and potentially export the annotations. Teachers would be able to share their perspective with students. Annotations are valuable in legal documents, too. Ebook reading platforms could benefit from making it easier for people to switch accounts. An EPUB Annotations Task Force will look into adding this long-requested feature to EPUB.
Accessibility in EPUB
The Accessibility Task Force and the Fixed Layout (FXL) Accessibility Task Force will continue their work. The FXL Accessibility Task Force is developing a techniques document. It will include specific models and examples. Since the current FXL EPUBS cannot be fully accessible, the TF will incubate ways around this with new technology. Additionally, they are tasked with bridging EPUB metadata to library and other publication data systems. This will ensure that people can find an ebook that suits their reading needs.
The Accessibility Task Force topics include moving from WCAG 2.0 to 2.1 or 2.2 as the floor specification. They will also look at metadata. New metadata is needed to identify publisher contacts for accessibility issues. The TF intends to develop a way to deterministically identify content by type. With that in place, people will know if they can access an ebook’s content.
Contact the group's co-chairs if you have an interest in one of these TFs and would like to contribute to the new EPUB specifications.
EPUB 3.4 working drafts
The Working Group has published the first working drafts of the EPUB 3.4 specification below. At this moment, the initial Working Drafts are essentially identical to the 3.3 versions, but the Working Group plans to evolve these documents to a standard in about two years.
Congratulations to Matt Garrish, main editor; co-chairs Wendy Reid, Shinya Takami; co-editor and W3C staff contact Ivan Herman; and the entire Publishing Maintenance Working Group for this update.
You know the feeling. You’re in a product meeting, skimming GitHub issues, or catching up on another EU regulatory proposal, and you realize there’s something missing in how we’re building for the web. Maybe it’s a technical shortfall, maybe it’s a user experience no one’s nailed yet, or maybe it’s a whole category of use case the current standards aren’t touching with a ten-foot pole.
That’s where the W3C Exploration Interest Group (IG) comes in.
We’re not a working group. We’re not here to define normative specs. We’re here to connect the dots between the real world and the standards world and to ask better questions before jumping to answers. Think of us as the early R&D lab for identity, authentication, and trust on the web.
Why this group, and why now?
If you’re building for the web, navigating its policy landscape, or just trying to make something interoperable, this group’s for you. Why? Because web identity is in flux. Cookies are on the way out. Federated login flows are being rebuilt. Browsers are experimenting with new APIs. And regulators? They're not exactly standing still either.
If we want a web that works for real users, across real use cases, we need more people at the table who can say:
“Here’s what’s happening in production, and here’s what we still don’t understand.”
That’s what the Exploration IG is here for: to find the gaps, to make space for disagreement, to spotlight use cases that standards groups haven’t prioritized yet, and to build the bridges that might become working group charters down the line.
What we’re exploring?
We don’t have a single-track agenda—but here’s the kind of stuff that gets us talking:
- Technical gaps between browser implementations and web specs
- Emerging wallet models, identity credentials, and federation flows
- Use cases that span trust frameworks, sectors, or jurisdictions
- Fragmentation risks when multiple standards solve the same problem differently
- Regulatory signals that need a better technical response
Contribute your ideas!
Our GitHub repo is public, and we actively welcome ideas and discussion there; this is an open forum, and everyone is welcome to contribute their ideas. If you see something in the wild that standards groups should be thinking about, bring it to us. Whether you’re an implementer, a researcher, a policymaker, or someone with a stubborn browser bug and a vision, open an issue. We want to hear from you. And if it turns into a recurring collaboration, we’d be delighted to have you join the group.
Some of the best conversations start with “I’m not sure this fits anywhere else."
And that’s exactly the kind of conversation we want to have. So if you’ve ever felt like there’s something important that doesn’t quite have a home in the standards process yet, maybe it belongs with us.
We meet every other week and organize sessions around topics raised by the community. Join us. Listen in. Bring your questions. Or just open an issue and see what happens.
The WebDX Community Group started work in 2022 to make it easier for developers to track the list of features that are widely available and those that are under development.
Since then, the Community Group has been busy developing the open-source web-features project, a shared catalog of features of the web platform, and the Baseline status to give developers clear information about which of these features work across a core browser set. Baseline badges have now been integrated in Can I Use, MDN, RUM Archive Insights, RUMvision and others. Watch the Baseline web features for the win video (September 2024) for a quick dive into the web-features project.
Today, we are happy to announce that the WebDX Community Group has reached a new milestone: most keys defined in the @mdn/browser-compat-data project (BCD), which powers support tables in MDN pages and contains the most complete set of fine-grained features defined in web specifications, have been mapped to 1000+ higher-level features in the web-features project. This provides a first nearly complete catalog of web features, along with their Baseline status. The catalog is available through the web-features package in the npm registry.
This effort would not have been possible without significant contributions from, and collaboration with, organizations such as Open Web Docs, MDN, browser vendors, and many others! Many thanks to them and to organizations that provided support in the background so that group participants could do the work.
Plotting browser support data in the catalog shows the evolution of the web platform in terms of number of features and Baseline status within browsers from the first release of Safari in June 2003 (95 features) to the end of February 2025 (1006 features), and the relative split between features that are implemented somewhere (328 as of February 2025), Baseline Newly Available (150 as of February 2025), and Baseline Widely Available (528 as of February 2025). Please keep in mind that the support data only covers browsers of the core browser set (Chrome, Edge, Firefox, Safari) and that the notion of Baseline only becomes meaningful once all these browsers have shipped a first version (after July 2015 for the Baseline Newly Available status, after January 2018 for the Baseline Widely Available status).
Evolution of the web platform in terms of number of features implemented in browsers
The list of features will of course keep growing as new features get discussed, standardized and implemented across web browsers. The group also expects to refine existing mappings, to further improve tooling (including the <baseline-status> web component to display the Baseline status of a web feature), and to work with browser vendors, maintainers of libraries, documentation and services to integrate web-features where it matters for web developers.
If you want to learn more about the project and provide feedback, you are welcome to attend the breakout session about web-features that Patrick Brosset, co-chair of the WebDX Community Group, will lead during Breakouts Day 2025 on 26 March 2025 (time still to be defined).
If you want to contribute and improve the developer experience of the web platform, please join the WebDX Community Group or bring your input to the web-platform-dx/web-features GitHub repository.
The W3C Security Web Application Guidelines (SWAG) Community Group seeks to make it easier for developers to leverage security features that are often complex in their application development.
SWAG launched in June 2024 after the W3C Workshop "Secure the Web Forward". One of the workshop’s findings, and some accompanying developer research presented there, is that web developers are generally unsure about security and their role in ensuring that web apps are secure. This group’s mission, therefore, is “to increase the overall security of web application development by writing security best practices for web developers and providing a platform for stakeholder collaboration.” In the same manner as that workshop, SWAG is intended to be connected to other organizations that share a similar mission, such as the OpenSSF Best Practices Group, OpenJS Foundation, and OWASP.
One of the first results of SWAG’s efforts is a set of videos addressing the complexities of Content Security Policy and Trusted Types. These two features can be used as effective XSS mitigations but, unfortunately, are difficult to configure due to the breadth of the threats they mitigate and the fact that they are time-consuming to debug.
Six talks introduce open-source tooling developed from Google’s large-scale CSP and Trusted Types adoption work. These tools, which serve as a natural interface between developers and the specifications, provide actionable help in a tight feedback loop during the development cycle to reduce the uncertainty and complexity of configuring these best-in-class web security mitigations against XSS. The experience of Google engineers who have shipped strict CSP and Trusted Types to hundreds of web applications is distilled into tools that provide best practices and gentle guidance toward a more secure codebase.
SWAG meets every week and those talks were recorded during the meeting of 11 November 2024. The 6 videos are available via the "Security at W3C" playlist on W3C's YouTube channel.
I recently had the pleasure of speaking at several events during the World Economic Forum in Davos, Switzerland. This was a great opportunity to represent W3C and the power of international standards, particularly since the theme this year was “Collaboration for the Intelligent Age”.
W3C’s 30 year history of global collaboration to build open, free, interoperable standards for a single world wide web is a great example of the kind of collaboration our world continues to need in rapidly changing times. As such, it was good to see how much interest there is in interoperable international standards in general and in W3C’s participation in such conversations in particular. It was great to have the opportunity to talk about the positive and at times life-changing impacts that international standards can have, and to hear others outside of the standards community express their interest, support, and even the very need for international interoperable standards.
Key points:
- Interoperability: Alain Labrique (World Health Organization) expressed how interoperable standards for health information can save lives by enabling the exchange of critical information in a crisis. Earlier in the week I shared the importance of interoperable standards around validating the provenance of critical information during disaster relief efforts.
- Trust: there was much discussion throughout these sessions of the need to increase trust in the digital infrastructure and how openness, be it open source development or an open and royalty-free standards process such as we have at W3C, serves as a foundation for trust.
- Privacy: I don’t believe you can discuss identity, security, and trust without talking about privacy. In our privacy principles, W3C emphasizes the importance of individual autonomy and the need for user agents to adhere to privacy principles in order to ensure a trustworthy web.
Ultimately, international standards can enable trustworthy solutions that support local control and security while providing a framework for global trust.
We at W3C play a critical role in making this happen. Because of our long standing focus on enabling one web for all, and our current composition representing industry leaders, big and small, from around the world, we have the potential to influence global discussions involving the web. Because the web is embedded in many different aspects of society throughout much of the world, there are many conversations outside of W3C that can impact how the web is used and even how the web is shaped. This was the first time W3C was formally represented at an event during the World Economic Forum and the opportunities that these conversations bring to us are invaluable.
It’s important for W3C to be involved in those conversations, in large part because of our knowledge and that we are a hub for major and minor implementers around the world. It’s also important that our values are represented in these discussions. The web is more than just technology - it’s technology with the fundamental purpose of interconnecting humanity. Our human-centric focus is distinct in the world of Standards Development Organizations and as such we need to be helping to shape the future of the web wherever we can.
I made important contacts and already see opportunities for W3C to further step up, because If we don’t, there are plenty of other organizations, public and private, ready to fill the void to keep work needed by the world moving, but without the same dedication to our mission.
Seth Dobbs posing in front of a House of Switzerland backdrop, WEF, Davos, January 2025
The W3C Web Interoperable Runtimes Community Group ("WinterCG") and Ecma International (the organization which standardizes ECMAScript, also known as JavaScript) have collaborated to create a new Ecma Technical Committee, TC55 – Web-interoperable server runtimes, dubbed "WinterTC", for the development of a common web-aligned API surface for server-side JavaScript runtimes like Node.js, Deno and Cloudflare Workers.
Developers these days are increasingly working “full-stack”, writing code for the client side (often web browsers) and the server side (often based on JavaScript). Reusing web platform APIs reduces developers’ cognitive load and allows some logic to be shared between client and server, or easily migrated from one to the other. This sharing is increasingly employed in technologies like server-side rendering (SSR) and server actions.
For the past two years, the W3C Web Interoperable Runtimes Community Group (“WinterCG”) has been working to strengthen the convergence of server JavaScript runtimes with the web platform by defining a common base for JavaScript in web-interoperable server environments.
WinterCG’s most prominent work item is the “minimum common API", which defines the subset of the web platform to be supported across all web-interoperable server environments. Further, WinterCG drives development on the web platform itself, as implemented in browsers, e.g., Response.json and AsyncContext. WinterCG serves as a place to gather requirements from server environments, to be solved for and standardized in other existing standards venues, including Ecma International’s TC39, WHATWG and various W3C Working Groups, when server and browser needs to align.
After incubating the “minimum common API” in WinterCG, the WinterCG participants decided to charter an Ecma Technical Committee, TC55 – Web-interoperable server runtimes, ("WinterTC"), which will host the effort to standardize this API. The cooperation between venues builds off of decades of experience collaborating between W3C and Ecma International on ECMAScript (a.k.a. JavaScript) and the web platform.
Once Ecma TC55/WinterTC is set up fully, all WinterCG work will move there and the existing community group will close. WinterTC's work with W3C is not over though: "We still have a lot of work to do", says Luca Casonato, previously co-chair of WinterCG and now co-chair of Ecma TC55/WinterTC. "W3C is very central to the web platform, and a lot of the work from WinterCG touches existing web platform APIs. This means that Ecma TC55 participants and W3C will continue to work together closely."
Luca continues: "The W3C Community Group programme enabled us to start work on unifying server side and web browser JavaScript very quickly. It is a great programme that I can recommend to anyone in a similar position to ours. We are very grateful to W3C for providing us with such an excellent home over the last couple years."
We encourage participation between W3C members and Ecma TC55 to further the development of a unified “full-stack” platform incorporating JavaScript and web technologies, across web servers and clients.
“We are glad to see this work proceed from a W3C Community Group,” said Philippe Le Hégaret, W3C Strategy and Project Lead. “Congratulations to the Winter Community Group on chartering Ecma Technical Committee, TC55. We look forward to future collaborations with the W3C WebAppSec (WebCrypto API), WebApps (FileAPI), WebPerf (HR-TIME) and WebAssembly (WASM-*) Working Groups, to effectively address and meet the needs of the community.”
"Ecma is pleased to announce the formation of TC55 (Web-interoperable server runtimes), a collaborative effort with W3C that reflects our commitment to serving the community,” said Samina Husain, Ecma International Secretary General. “I commend W3C WinterCG for their dedication and foundational contributions, which have laid the groundwork for this important new technical committee in Ecma.”
Learn more about WinterTC and Ecma's TC55 website, as well as announcements from Ecma, Igalia and Deno.
