The government's Central Office of Information (COI) document on browser standards for public web sites is undergoing consultation, but it does not mention security.
The Browser Standards Consultation is soliciting many powerful responses from the design and development community, including for example:
- UK government draft browser guidance is daft browser guidance from the Web Standards Project
- Public sector browser standards
- Opera's response to the browser standards consultation
The initiative is nevertheless welcome but there is no information on ensuring user security in the guidance and there has been virtually no comment on this aspect from elsewhere. Whilst the document seems primarily to be discussing usability, the requirements for testing a public sector site "works in common browsers" are to check:
I think "security" should be added here as well. The London and Scotland chapters of the Open Web Application Security Project are collaborating to produce a joint response by the 17th October deadline.
It may also be a topic that comes up in the Browser Security Working Session at OWASP's EU Summit 08 in Portugal next month. I'll be at the summit and recommend it highly to architects, designers and developers who want to build security into their web sites and applications. The working sessions and conference are an ideal place to learn about the numerous OWASP projects and initiatives. You can get involved too.
Update 16th October 2008: The OWASP UK Chapters submitted their joint response today.
Update 24th October 2008: The British Computer Society's response also discussed the need for good security in design, the effect of browser standards on security and the need for security testing.
Posted on: 14 October 2008 at 08:50 hrs