Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<div align="center">
**ETSI EN 304-617 V0.0.6 (2025-11)**
</div>
HARMONISED EUROPEAN STANDARD
CYBER; CRA; <br />
Essential cybersecurity requirements for Browsers
<div style="text-align: center;">
Reference<br />
<Workitem><br />
Keywords<br />
<keywords><br />
ETSI<br />
650 Route des Lucioles<br />
F-06921 Sophia Antipolis Cedex - FRANCE<br />
Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16<br />
Siret N° 348 623 562 00017 - APE 7112B<br />
Association à but non lucratif enregistrée à la<br />
Sous-préfecture de Grasse (06) N° w061004871<br />
</div>
**_Important notice_**
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI deliverable is the one made publicly available in PDF format on [ETSI deliver](ETSI deliver) repository.
Users should be aware that the present document may be revised or have its status changed, this information is available in the [Milestones listing](Milestones listing).
If you find errors in the present document, please send your comments to the relevant service listed under [Committee Support Staff](Committee Support Staff).
If you find a security vulnerability in the present document, please report it through our [Coordinated Vulnerability Disclosure (CVD)](Coordinated Vulnerability Disclosure (CVD)) program.
**_Notice of disclaimer & limitation of liability_**
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of experience to understand and interpret its content in accordance with generally accepted engineering or other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.
Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use of or inability to use the software.
<br />
**_Copyright Notification_**
No part may be reproduced or utilised in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorised by written permission of ETSI. The content of the PDF version shall not be modified without the written authorization of ETSI. The copyright and the foregoing restriction extend to reproduction in all media.
© ETSI 2025.
All rights reserved.<br />
</div>
# Contents
<!-- TOC_DOCX_PLACEHOLDER -->
## Table of Contents
- [Intellectual Property Rights](#intellectual-property-rights)
- [Foreword](#foreword)
- [Modal verbs terminology](#modal-verbs-terminology)
- [Executive summary](#executive-summary)
- [Introduction](#introduction)
- [1 Scope](#1-scope)
- [1.1 Browser ](#11browser-)
- [1.1.1 Standalone](#111standalone)
- [1.1.2 Embedded](#112-embedded)
- [1.1.3 Progressive Web Apps (PWA)](#113-progressive-web-apps-pwa)
- [1.1.4 Browser Extensions](#114-browser-extensions)
- [1.2 Derivative Browsers and Manufacturer Obligations](#12-derivative-browsers-and-manufacturer-obligations)
- [1.2.1 Open Source Browser Engines and Derivative Products](#121-open-source-browser-engines-and-derivative-products)
- [1.2.2 Spectrum of Derivative Modifications](#122-spectrum-of-derivative-modifications)
- [1.2.3 Manufacturer Responsibilities for Derivative Products](#123-manufacturer-responsibilities-for-derivative-products)
- [1.2.4 Trust in Upstream Security Implementations](#124-trust-in-upstream-security-implementations)
- [1.2.5 Application of This Standard to Derivative Browsers](#125-application-of-this-standard-to-derivative-browsers)
- [1.2.6 State of the Art: Industry Testing and Security Practices](#126-state-of-the-art-industry-testing-and-security-practices)
- [2 References](#2-references)
- [2.1 Normative references](#21-normative-references)
- [2.2 Informative references](#22-informative-references)
- [3 Definition of terms, symbols and abbreviations](#3-definition-of-terms-symbols-and-abbreviations)
- [3.1 Terms](#31-terms)
- [3.2 Symbols](#32-symbols)
- [4 Product Context](#4-product-context)
- [4.1 General](#41-general)
- [4.2 Out of scope use/environments](#42-out-of-scope-useenvironments)
- [4.3 In-Scope Components](#43-in-scope-components)
- [4.3.1 In-Scope components standalone browser](#431-in-scope-components-standalone-browser)
- [4.3.2 In-Scope components embedded browser](#432-in-scope-components-embedded-browser)
- [4.4 Use Cases](#44-use-cases)
- [4.4.1 Application to Conformity Assessment](#441-application-to-conformity-assessment)
- [4.4.2 Use Cases for Browsers](#442-use-cases-for-browsers)
- [4.5 Product overview and architecture](#45-product-overview-and-architecture)
- [4.5.1 Product Definition](#451-product-definition)
- [4.5.2 Architectural Overview](#452-architectural-overview)
- [4.5.2.1 Core Architecture Components](#4521-core-architecture-components)
- [4.5.2.2 Security Architecture](#4522-security-architecture)
- [4.5.2.3 Extension Architecture](#4523-extension-architecture)
- [4.5.3 Trust Boundaries and Threat Model](#453-trust-boundaries-and-threat-model)
- [4.5.3.1 Trust Zones](#4531-trust-zones)
- [4.5.3.2 Attack Surface](#4532-attack-surface)
- [4.5.4 Deployment Contexts](#454-deployment-contexts)
- [4.5.4.1 Consumer Environment](#4541-consumer-environment)
- [4.5.4.2 Enterprise Environment](#4542-enterprise-environment)
- [4.5.4.3 Specialized Environments](#4543-specialized-environments)
- [4.5.5 Security-Relevant Characteristics](#455-security-relevant-characteristics)
- [4.5.5.1 Dynamic Threat Landscape](#4551-dynamic-threat-landscape)
- [4.5.5.2 Compatibility Requirements](#4552-compatibility-requirements)
- [4.5.5.3 Performance Constraints](#4553-performance-constraints)
- [4.5.5.4 User Agency and Autonomy](#4554-user-agency-and-autonomy)
- [4.6 Essential functions](#46-essential-functions)
- [4.6.1 Core Essential Functions](#461-core-essential-functions)
- [4.6.2 Security-Related Essential Functions](#462-security-related-essential-functions)
- [4.6.3 Embedded Browser-Specific Security Functions](#463-embedded-browser-specific-security-functions)
- [4.6.4 Functions NOT Considered Essential](#464-functions-not-considered-essential)
- [4.7 Operational Environment](#47-operational-environment)
- [4.7.1 Technical Environment](#471-technical-environment)
- [4.7.2 Physical Environment](#472-physical-environment)
- [4.7.3 Organizational Environment](#473-organizational-environment)
- [4.7.4 Threat Environment](#474-threat-environment)
- [4.7.5 Lifecycle Environment](#475-lifecycle-environment)
- [4.8 Users](#48-users)
- [4.8.1 User Categories](#481-user-categories)
- [4.8.2 User Behavior Patterns](#482-user-behavior-patterns)
- [4.8.3 User Needs and Expectations](#483-user-needs-and-expectations)
- [4.8.4 User Assistance and Responsibilities](#484-user-assistance-and-responsibilities)
- [4.8.5 Accessibility Considerations](#485-accessibility-considerations)
- [5 Browser-Specific Risk Factors](#5-browser-specific-risk-factors)
- [5.1 Isolation Mechanisms](#51-isolation-mechanisms)
- [5.2 Extension System Security](#52-extension-system-security)
- [5.3 Encryption Implementation](#53-encryption-implementation)
- [5.4 Diagnostic and Monitoring Systems](#54-diagnostic-and-monitoring-systems)
- [5.5 Update Delivery Mechanisms](#55-update-delivery-mechanisms)
- [5.6 Protocol Handler Security](#56-protocol-handler-security)
- [5.7 Core Component Security](#57-core-component-security)
- [5.8 Embedded Browser Security](#58-embedded-browser-security)
- [5.8.1 Overview](#581-overview)
- [5.8.2 Host Application Boundary Security](#582-host-application-boundary-security)
- [5.8.3 Content Source Trust Management](#583-content-source-trust-management)
- [5.9 Remote Data Processing Systems](#59-remote-data-processing-systems)
- [6 Technical Security Assessments](#6-technical-security-assessments)
- [6.1 Domain and Origin Isolation Assessments](#61-domain-and-origin-isolation-assessments)
- [Assessment: DOM-REQ-1 (Process-per-site isolation)](#assessment-dom-req-1-process-per-site-isolation)
- [Assessment: DOM-REQ-2 (Cross-origin read blocking)](#assessment-dom-req-2-cross-origin-read-blocking)
- [Assessment: DOM-REQ-3 (Strict origin policy enforcement)](#assessment-dom-req-3-strict-origin-policy-enforcement)
- [Assessment: DOM-REQ-4 (CORS preflight enforcement)](#assessment-dom-req-4-cors-preflight-enforcement)
- [Assessment: DOM-REQ-5 (Cookie SameSite attribute enforcement)](#assessment-dom-req-5-cookie-samesite-attribute-enforcement)
- [Assessment: DOM-REQ-6 (Origin-bound storage isolation)](#assessment-dom-req-6-origin-bound-storage-isolation)
- [Assessment: DOM-REQ-7 (Frame sandboxing support)](#assessment-dom-req-7-frame-sandboxing-support)
- [Assessment: DOM-REQ-8 (Opaque origin handling)](#assessment-dom-req-8-opaque-origin-handling)
- [Assessment: DOM-REQ-9 (CORP for cross-origin isolation)](#assessment-dom-req-9-corp-for-cross-origin-isolation)
- [Assessment: DOM-REQ-10 (COOP enforcement)](#assessment-dom-req-10-coop-enforcement)
- [Assessment: DOM-REQ-11 (COEP enforcement)](#assessment-dom-req-11-coep-enforcement)
- [Assessment: DOM-REQ-12 (Document.domain deprecation)](#assessment-dom-req-12-documentdomain-deprecation)
- [Assessment: DOM-REQ-13 (Enterprise origin isolation policy configuration)](#assessment-dom-req-13-enterprise-origin-isolation-policy-configuration)
- [Assessment: DOM-REQ-14 (Logging of policy-based isolation exceptions)](#assessment-dom-req-14-logging-of-policy-based-isolation-exceptions)
- [Assessment: DOM-REQ-15 (Compatibility mode isolation integrity)](#assessment-dom-req-15-compatibility-mode-isolation-integrity)
- [Assessment: DOM-REQ-16 (Third-party integration isolation)](#assessment-dom-req-16-third-party-integration-isolation)
- [Assessment: DOM-REQ-17 (Documentation and logging of compatibility exceptions)](#assessment-dom-req-17-documentation-and-logging-of-compatibility-exceptions)
- [Assessment: DOM-REQ-18 (Embedded component storage isolation)](#assessment-dom-req-18-embedded-component-storage-isolation)
- [6.2 Extension System Security Assessments](#62-extension-system-security-assessments)
- [Assessment: EXT-REQ-1 (Permission model for extensions)](#assessment-ext-req-1-permission-model-for-extensions)
- [Assessment: EXT-REQ-2 (Content script isolation)](#assessment-ext-req-2-content-script-isolation)
- [Assessment: EXT-REQ-3 (Extension API access control)](#assessment-ext-req-3-extension-api-access-control)
- [Assessment: EXT-REQ-4 (Manifest validation)](#assessment-ext-req-4-manifest-validation)
- [Assessment: EXT-REQ-5 (Extension sandboxing)](#assessment-ext-req-5-extension-sandboxing)
- [Assessment: EXT-REQ-6 (Cross-extension isolation)](#assessment-ext-req-6-cross-extension-isolation)
- [Assessment: EXT-REQ-7 (Host permissions validation)](#assessment-ext-req-7-host-permissions-validation)
- [Assessment: EXT-REQ-8 (CSP for extensions)](#assessment-ext-req-8-csp-for-extensions)
- [Assessment: EXT-REQ-9 (WebRequest API security)](#assessment-ext-req-9-webrequest-api-security)
- [Assessment: EXT-REQ-10 (Extension update verification)](#assessment-ext-req-10-extension-update-verification)
- [Assessment: EXT-REQ-11 (Extension storage isolation)](#assessment-ext-req-11-extension-storage-isolation)
- [Assessment: EXT-REQ-12 (Background script restrictions)](#assessment-ext-req-12-background-script-restrictions)
- [Assessment: EXT-REQ-13 (Manifest V3 compliance)](#assessment-ext-req-13-manifest-v3-compliance)
- [Assessment: EXT-REQ-14 (Native messaging security)](#assessment-ext-req-14-native-messaging-security)
- [Assessment: EXT-REQ-15 (Extension-controlled web content)](#assessment-ext-req-15-extension-controlled-web-content)
- [Assessment: EXT-REQ-16 (Extension telemetry privacy)](#assessment-ext-req-16-extension-telemetry-privacy)
- [Assessment: EXT-REQ-17 (Extension signature validation)](#assessment-ext-req-17-extension-signature-validation)
- [Assessment: EXT-REQ-18 (Extension permissions UI transparency)](#assessment-ext-req-18-extension-permissions-ui-transparency)
- [Assessment: EXT-REQ-19 (No extension support enforcement)](#assessment-ext-req-19-no-extension-support-enforcement)
- [Assessment: EXT-REQ-20 (Extension code loading prevention)](#assessment-ext-req-20-extension-code-loading-prevention)
- [Assessment: EXT-REQ-21 (Extension subsystem removal)](#assessment-ext-req-21-extension-subsystem-removal)
- [Assessment: EXT-REQ-22 (Official extension store restriction)](#assessment-ext-req-22-official-extension-store-restriction)
- [Assessment: EXT-REQ-23 (Extension security review requirement)](#assessment-ext-req-23-extension-security-review-requirement)
- [Assessment: EXT-REQ-24 (Developer mode activation security)](#assessment-ext-req-24-developer-mode-activation-security)
- [Assessment: EXT-REQ-25 (Developer mode visual indicators)](#assessment-ext-req-25-developer-mode-visual-indicators)
- [Assessment: EXT-REQ-26 (Developer mode update disablement)](#assessment-ext-req-26-developer-mode-update-disablement)
- [Assessment: EXT-REQ-27 (Developer mode activity logging)](#assessment-ext-req-27-developer-mode-activity-logging)
- [Assessment: EXT-REQ-28 (Enterprise developer mode control)](#assessment-ext-req-28-enterprise-developer-mode-control)
- [Assessment: EXT-REQ-29 (Sideloaded extension warnings)](#assessment-ext-req-29-sideloaded-extension-warnings)
- [Assessment: EXT-REQ-30 (User extension permission controls)](#assessment-ext-req-30-user-extension-permission-controls)
- [Assessment: EXT-REQ-31 (Sideloaded extension malware scanning)](#assessment-ext-req-31-sideloaded-extension-malware-scanning)
- [Assessment: EXT-REQ-32 (Extension security event logging)](#assessment-ext-req-32-extension-security-event-logging)
- [6.3 Cryptographic Security Assessments](#63-cryptographic-security-assessments)
- [Assessment: ENC-REQ-1 (TLS 1.3+ support)](#assessment-enc-req-1-tls-13-support)
- [Assessment: ENC-REQ-2 (Certificate validation)](#assessment-enc-req-2-certificate-validation)
- [Assessment: ENC-REQ-3 (Certificate pinning support)](#assessment-enc-req-3-certificate-pinning-support)
- [Assessment: ENC-REQ-4 (HSTS enforcement)](#assessment-enc-req-4-hsts-enforcement)
- [Assessment: ENC-REQ-5 (Mixed content blocking)](#assessment-enc-req-5-mixed-content-blocking)
- [Assessment: ENC-REQ-6 (Certificate Transparency)](#assessment-enc-req-6-certificate-transparency)
- [Assessment: ENC-REQ-7 (OCSP stapling)](#assessment-enc-req-7-ocsp-stapling)
- [Assessment: ENC-REQ-8 (Cipher suite restrictions)](#assessment-enc-req-8-cipher-suite-restrictions)
- [Assessment: ENC-REQ-9 (Perfect forward secrecy)](#assessment-enc-req-9-perfect-forward-secrecy)
- [Assessment: ENC-REQ-10 (Revocation checking)](#assessment-enc-req-10-revocation-checking)
- [Assessment: ENC-REQ-11 (Web Crypto API compliance)](#assessment-enc-req-11-web-crypto-api-compliance)
- [Assessment: ENC-REQ-12 (Secure random number generation)](#assessment-enc-req-12-secure-random-number-generation)
- [Assessment: ENC-REQ-13 (SubResource Integrity)](#assessment-enc-req-13-subresource-integrity)
- [Assessment: ENC-REQ-14 (Encrypted SNI)](#assessment-enc-req-14-encrypted-sni)
- [Assessment: ENC-REQ-15 (Certificate error UI)](#assessment-enc-req-15-certificate-error-ui)
- [Assessment: ENC-REQ-16 (HTTPS-first mode)](#assessment-enc-req-16-https-first-mode)
- [Assessment: ENC-REQ-17 (Certificate pinning bypass detection)](#assessment-enc-req-17-certificate-pinning-bypass-detection)
- [Assessment: ENC-REQ-18 (TLS downgrade protection)](#assessment-enc-req-18-tls-downgrade-protection)
- [Assessment: ENC-REQ-19 (Legacy crypto deprecation)](#assessment-enc-req-19-legacy-crypto-deprecation)
- [Assessment: ENC-REQ-20 (Cryptographic key isolation)](#assessment-enc-req-20-cryptographic-key-isolation)
- [Assessment: ENC-REQ-21 (Certificate store security)](#assessment-enc-req-21-certificate-store-security)
- [Assessment: ENC-REQ-22 (Certificate pinning override prohibition)](#assessment-enc-req-22-certificate-pinning-override-prohibition)
- [Assessment: ENC-REQ-23 (Hardware-backed cryptographic operations)](#assessment-enc-req-23-hardware-backed-cryptographic-operations)
- [Assessment: ENC-REQ-24 (Encryption strictness configuration)](#assessment-enc-req-24-encryption-strictness-configuration)
- [Assessment: ENC-REQ-25 (Connection security visual indicators)](#assessment-enc-req-25-connection-security-visual-indicators)
- [Assessment: ENC-REQ-26 (User encryption settings control)](#assessment-enc-req-26-user-encryption-settings-control)
- [Assessment: ENC-REQ-27 (Encryption status UI indicators)](#assessment-enc-req-27-encryption-status-ui-indicators)
- [Assessment: ENC-REQ-28 (Legacy protocol compatibility mode)](#assessment-enc-req-28-legacy-protocol-compatibility-mode)
- [Assessment: ENC-REQ-29 (Complete encryption policy control)](#assessment-enc-req-29-complete-encryption-policy-control)
- [Assessment: ENC-REQ-30 (User-enabled legacy protocol support)](#assessment-enc-req-30-user-enabled-legacy-protocol-support)
- [6.4 Security Event Logging Assessments](#64-security-event-logging-assessments)
- [Assessment: LOG-REQ-1 (Security event logging)](#assessment-log-req-1-security-event-logging)
- [Assessment: LOG-REQ-2 (Certificate error logging)](#assessment-log-req-2-certificate-error-logging)
- [Assessment: LOG-REQ-3 (Extension security events)](#assessment-log-req-3-extension-security-events)
- [Assessment: LOG-REQ-4 (CSP violation reporting)](#assessment-log-req-4-csp-violation-reporting)
- [Assessment: LOG-REQ-5 (Network Error Logging - NEL)](#assessment-log-req-5-network-error-logging---nel)
- [Assessment: LOG-REQ-6 (Crash reporting)](#assessment-log-req-6-crash-reporting)
- [Assessment: LOG-REQ-7 (Log data minimization)](#assessment-log-req-7-log-data-minimization)
- [Assessment: LOG-REQ-8 (Log anonymization)](#assessment-log-req-8-log-anonymization)
- [Assessment: LOG-REQ-9 (User consent for telemetry)](#assessment-log-req-9-user-consent-for-telemetry)
- [Assessment: LOG-REQ-10 (Secure log transmission)](#assessment-log-req-10-secure-log-transmission)
- [Assessment: LOG-REQ-11 (Log integrity protection)](#assessment-log-req-11-log-integrity-protection)
- [Assessment: LOG-REQ-12 (Log retention policies)](#assessment-log-req-12-log-retention-policies)
- [Assessment: LOG-REQ-13 (Security dashboard)](#assessment-log-req-13-security-dashboard)
- [Assessment: LOG-REQ-14 (Incident detection)](#assessment-log-req-14-incident-detection)
- [Assessment: LOG-REQ-15 (Audit trail completeness)](#assessment-log-req-15-audit-trail-completeness)
- [Assessment: LOG-REQ-16 (Real-time security alerts)](#assessment-log-req-16-real-time-security-alerts)
- [Assessment: LOG-REQ-17 (Forensic log export)](#assessment-log-req-17-forensic-log-export)
- [Assessment: LOG-REQ-18 (Privacy-preserving analytics)](#assessment-log-req-18-privacy-preserving-analytics)
- [Assessment: LOG-REQ-19 (Compliance logging)](#assessment-log-req-19-compliance-logging)
- [Assessment: LOG-REQ-20 (Log access controls)](#assessment-log-req-20-log-access-controls)
- [Assessment: LOG-REQ-21 (No remote telemetry transmission)](#assessment-log-req-21-no-remote-telemetry-transmission)
- [Assessment: LOG-REQ-22 (Opt-in local logging)](#assessment-log-req-22-opt-in-local-logging)
- [Assessment: LOG-REQ-23 (User log management)](#assessment-log-req-23-user-log-management)
- [Assessment: LOG-REQ-24 (Telemetry opt-in requirement)](#assessment-log-req-24-telemetry-opt-in-requirement)
- [Assessment: LOG-REQ-25 (Granular telemetry control)](#assessment-log-req-25-granular-telemetry-control)
- [Assessment: LOG-REQ-26 (Telemetry data documentation)](#assessment-log-req-26-telemetry-data-documentation)
- [Assessment: LOG-REQ-27 (Telemetry disable capability)](#assessment-log-req-27-telemetry-disable-capability)
- [Assessment: LOG-REQ-28 (Telemetry status display)](#assessment-log-req-28-telemetry-status-display)
- [Assessment: LOG-REQ-29 (Enterprise logging enforcement)](#assessment-log-req-29-enterprise-logging-enforcement)
- [Assessment: LOG-REQ-30 (Enterprise monitoring integration)](#assessment-log-req-30-enterprise-monitoring-integration)
- [Assessment: LOG-REQ-31 (Tamper-evident logging)](#assessment-log-req-31-tamper-evident-logging)
- [6.5 Update Mechanism Security Assessments](#65-update-mechanism-security-assessments)
- [Assessment: UPD-REQ-1 (Automatic update mechanism)](#assessment-upd-req-1-automatic-update-mechanism)
- [Assessment: UPD-REQ-2 (Update signature verification)](#assessment-upd-req-2-update-signature-verification)
- [Assessment: UPD-REQ-3 (HTTPS-only update delivery)](#assessment-upd-req-3-https-only-update-delivery)
- [Assessment: UPD-REQ-4 (Update manifest integrity)](#assessment-upd-req-4-update-manifest-integrity)
- [Assessment: UPD-REQ-5 (Rollback protection)](#assessment-upd-req-5-rollback-protection)
- [Assessment: UPD-REQ-6 (Update channel isolation)](#assessment-upd-req-6-update-channel-isolation)
- [Assessment: UPD-REQ-7 (Component update support)](#assessment-upd-req-7-component-update-support)
- [Assessment: UPD-REQ-8 (Emergency update capability)](#assessment-upd-req-8-emergency-update-capability)
- [Assessment: UPD-REQ-9 (Update verification before installation)](#assessment-upd-req-9-update-verification-before-installation)
- [Assessment: UPD-REQ-10 (Update failure recovery)](#assessment-upd-req-10-update-failure-recovery)
- [Assessment: UPD-REQ-11 (Update transparency logging)](#assessment-upd-req-11-update-transparency-logging)
- [Assessment: UPD-REQ-12 (Delta update security)](#assessment-upd-req-12-delta-update-security)
- [Assessment: UPD-REQ-13 (Update server authentication)](#assessment-upd-req-13-update-server-authentication)
- [Assessment: UPD-REQ-14 (Update timing jitter)](#assessment-upd-req-14-update-timing-jitter)
- [Assessment: UPD-REQ-15 (Background update enforcement)](#assessment-upd-req-15-background-update-enforcement)
- [Assessment: UPD-REQ-16 (Update notification UI)](#assessment-upd-req-16-update-notification-ui)
- [Assessment: UPD-REQ-17 (Forced update for critical vulnerabilities)](#assessment-upd-req-17-forced-update-for-critical-vulnerabilities)
- [Assessment: UPD-REQ-18 (Update verification chain)](#assessment-upd-req-18-update-verification-chain)
- [Assessment: UPD-REQ-19 (Update source pinning)](#assessment-upd-req-19-update-source-pinning)
- [Assessment: UPD-REQ-20 (Update integrity verification)](#assessment-upd-req-20-update-integrity-verification)
- [Assessment: UPD-REQ-21 (Staged rollout support)](#assessment-upd-req-21-staged-rollout-support)
- [Assessment: UPD-REQ-22 (Update domain validation)](#assessment-upd-req-22-update-domain-validation)
- [Assessment: UPD-REQ-23 (Update binary reproducibility)](#assessment-upd-req-23-update-binary-reproducibility)
- [Assessment: UPD-REQ-24 (Automatic update application without user intervention)](#assessment-upd-req-24-automatic-update-application-without-user-intervention)
- [Assessment: UPD-REQ-25 (Automatic browser restart after critical updates)](#assessment-upd-req-25-automatic-browser-restart-after-critical-updates)
- [Assessment: UPD-REQ-26 (Update postponement with time limits)](#assessment-upd-req-26-update-postponement-with-time-limits)
- [Assessment: UPD-REQ-27 (Critical update postponement restrictions)](#assessment-upd-req-27-critical-update-postponement-restrictions)
- [Assessment: UPD-REQ-28 (Update severity indication)](#assessment-upd-req-28-update-severity-indication)
- [Assessment: UPD-REQ-29 (Automatic updates disabled by default)](#assessment-upd-req-29-automatic-updates-disabled-by-default)
- [Assessment: UPD-REQ-30 (Automatic update recommendations)](#assessment-upd-req-30-automatic-update-recommendations)
- [Assessment: UPD-REQ-31 (Security warnings for available updates)](#assessment-upd-req-31-security-warnings-for-available-updates)
- [Assessment: UPD-REQ-32 (Easy update check and install mechanism)](#assessment-upd-req-32-easy-update-check-and-install-mechanism)
- [Assessment: UPD-REQ-33 (Full user control over update timing)](#assessment-upd-req-33-full-user-control-over-update-timing)
- [Assessment: UPD-REQ-34 (Manual update check mechanism)](#assessment-upd-req-34-manual-update-check-mechanism)
- [Assessment: UPD-REQ-35 (Outdated version security warnings)](#assessment-upd-req-35-outdated-version-security-warnings)
- [Assessment: UPD-REQ-36 (Clear indication of available security updates)](#assessment-upd-req-36-clear-indication-of-available-security-updates)
- [Assessment: UPD-REQ-37 (Explicit user initiation for all updates)](#assessment-upd-req-37-explicit-user-initiation-for-all-updates)
- [Assessment: UPD-REQ-38 (Update changelog and security impact display)](#assessment-upd-req-38-update-changelog-and-security-impact-display)
- [6.6 Protocol Handler Security Assessments](#66-protocol-handler-security-assessments)
- [Assessment: PRO-REQ-1 (Protocol handler registration validation)](#assessment-pro-req-1-protocol-handler-registration-validation)
- [Assessment: PRO-REQ-2 (User consent for custom protocols)](#assessment-pro-req-2-user-consent-for-custom-protocols)
- [Assessment: PRO-REQ-3 (Protocol allowlist enforcement)](#assessment-pro-req-3-protocol-allowlist-enforcement)
- [Assessment: PRO-REQ-4 (Scheme hijacking prevention)](#assessment-pro-req-4-scheme-hijacking-prevention)
- [Assessment: PRO-REQ-5 (Protocol parameter sanitization)](#assessment-pro-req-5-protocol-parameter-sanitization)
- [Assessment: PRO-REQ-6 (External protocol handler security)](#assessment-pro-req-6-external-protocol-handler-security)
- [Assessment: PRO-REQ-7 (Protocol handler UI transparency)](#assessment-pro-req-7-protocol-handler-ui-transparency)
- [Assessment: PRO-REQ-8 (Protocol downgrade protection)](#assessment-pro-req-8-protocol-downgrade-protection)
- [Assessment: PRO-REQ-9 (Protocol handler logging)](#assessment-pro-req-9-protocol-handler-logging)
- [Assessment: PRO-REQ-10 (Web+custom scheme support)](#assessment-pro-req-10-webcustom-scheme-support)
- [Assessment: PRO-REQ-11 (Protocol handler persistence)](#assessment-pro-req-11-protocol-handler-persistence)
- [Assessment: PRO-REQ-12 (Protocol confusion mitigation)](#assessment-pro-req-12-protocol-confusion-mitigation)
- [Assessment: PRO-REQ-13 (Handler capability restrictions)](#assessment-pro-req-13-handler-capability-restrictions)
- [Assessment: PRO-REQ-14 (Protocol handler revocation)](#assessment-pro-req-14-protocol-handler-revocation)
- [Assessment: PRO-REQ-15 (Cross-origin protocol restrictions)](#assessment-pro-req-15-cross-origin-protocol-restrictions)
- [Assessment: PRO-REQ-16 (Protocol handler manifest validation)](#assessment-pro-req-16-protocol-handler-manifest-validation)
- [Assessment: PRO-REQ-17 (Intent URL security - mobile)](#assessment-pro-req-17-intent-url-security---mobile)
- [Assessment: PRO-REQ-18 (Universal Links security - iOS)](#assessment-pro-req-18-universal-links-security---ios)
- [Assessment: PRO-REQ-19 (Deep linking validation)](#assessment-pro-req-19-deep-linking-validation)
- [Assessment: PRO-REQ-20 (Protocol handler CSP integration)](#assessment-pro-req-20-protocol-handler-csp-integration)
- [Assessment: PRO-REQ-21 (Handler registration audit trail)](#assessment-pro-req-21-handler-registration-audit-trail)
- [Assessment: PRO-REQ-22 (Protocol handler update security)](#assessment-pro-req-22-protocol-handler-update-security)
- [Assessment: PRO-REQ-23 (Handler isolation enforcement)](#assessment-pro-req-23-handler-isolation-enforcement)
- [Assessment: PRO-REQ-24 (HTTP/HTTPS-only protocol restriction)](#assessment-pro-req-24-httphttps-only-protocol-restriction)
- [Assessment: PRO-REQ-25 (Custom protocol handler registration rejection)](#assessment-pro-req-25-custom-protocol-handler-registration-rejection)
- [Assessment: PRO-REQ-26 (Non-standard URL scheme blocking)](#assessment-pro-req-26-non-standard-url-scheme-blocking)
- [Assessment: PRO-REQ-27 (Protocol handler API removal)](#assessment-pro-req-27-protocol-handler-api-removal)
- [Assessment: PRO-REQ-28 (Non-HTTP/HTTPS navigation rejection)](#assessment-pro-req-28-non-httphttps-navigation-rejection)
- [Assessment: PRO-REQ-29 (Enterprise protocol handler policy controls)](#assessment-pro-req-29-enterprise-protocol-handler-policy-controls)
- [Assessment: PRO-REQ-30 (Custom scheme registration without web+ prefix)](#assessment-pro-req-30-custom-scheme-registration-without-web-prefix)
- [Assessment: PRO-REQ-31 (Non-standard protocol handler security warnings)](#assessment-pro-req-31-non-standard-protocol-handler-security-warnings)
- [Assessment: PRO-REQ-32 (Protocol handler review interface)](#assessment-pro-req-32-protocol-handler-review-interface)
- [Assessment: PRO-REQ-33 (Custom handler vulnerability scanning)](#assessment-pro-req-33-custom-handler-vulnerability-scanning)
- [Assessment: PRO-REQ-34 (Protocol handler security audit logging)](#assessment-pro-req-34-protocol-handler-security-audit-logging)
- [6.7 System Resource Access Security Assessments](#67-system-resource-access-security-assessments)
- [Assessment: SYS-REQ-1 (Process sandbox enforcement)](#assessment-sys-req-1-process-sandbox-enforcement)
- [Assessment: SYS-REQ-2 (Renderer process isolation)](#assessment-sys-req-2-renderer-process-isolation)
- [Assessment: SYS-REQ-3 (GPU process isolation)](#assessment-sys-req-3-gpu-process-isolation)
- [Assessment: SYS-REQ-4 (Network service isolation)](#assessment-sys-req-4-network-service-isolation)
- [Assessment: SYS-REQ-5 (Filesystem access control)](#assessment-sys-req-5-filesystem-access-control)
- [Assessment: SYS-REQ-6 (Device API permissions)](#assessment-sys-req-6-device-api-permissions)
- [Assessment: SYS-REQ-7 (PWA permission management)](#assessment-sys-req-7-pwa-permission-management)
- [Assessment: SYS-REQ-8 (Geolocation permission enforcement)](#assessment-sys-req-8-geolocation-permission-enforcement)
- [Assessment: SYS-REQ-9 (Camera/microphone access control)](#assessment-sys-req-9-cameramicrophone-access-control)
- [Assessment: SYS-REQ-10 (Clipboard access restrictions)](#assessment-sys-req-10-clipboard-access-restrictions)
- [Assessment: SYS-REQ-11 (Notification permission management)](#assessment-sys-req-11-notification-permission-management)
- [Assessment: SYS-REQ-12 (USB device access security)](#assessment-sys-req-12-usb-device-access-security)
- [Assessment: SYS-REQ-13 (Bluetooth permission enforcement)](#assessment-sys-req-13-bluetooth-permission-enforcement)
- [Assessment: SYS-REQ-14 (File System Access API security)](#assessment-sys-req-14-file-system-access-api-security)
- [Assessment: SYS-REQ-15 (WebUSB security controls)](#assessment-sys-req-15-webusb-security-controls)
- [Assessment: SYS-REQ-16 (WebBluetooth security)](#assessment-sys-req-16-webbluetooth-security)
- [Assessment: SYS-REQ-17 (WebNFC permission management)](#assessment-sys-req-17-webnfc-permission-management)
- [Assessment: SYS-REQ-18 (Sensor API permissions)](#assessment-sys-req-18-sensor-api-permissions)
- [Assessment: SYS-REQ-19 (Battery Status API restrictions)](#assessment-sys-req-19-battery-status-api-restrictions)
- [Assessment: SYS-REQ-20 (Hardware resource limits)](#assessment-sys-req-20-hardware-resource-limits)
- [Assessment: SYS-REQ-21 (Memory isolation enforcement)](#assessment-sys-req-21-memory-isolation-enforcement)
- [Assessment: SYS-REQ-22 (CPU resource quotas)](#assessment-sys-req-22-cpu-resource-quotas)
- [Assessment: SYS-REQ-23 (Network bandwidth limits)](#assessment-sys-req-23-network-bandwidth-limits)
- [Assessment: SYS-REQ-24 (Storage quota enforcement)](#assessment-sys-req-24-storage-quota-enforcement)
- [Assessment: SYS-REQ-25 (Process priority management)](#assessment-sys-req-25-process-priority-management)
- [Assessment: SYS-REQ-26 (Sandbox escape prevention)](#assessment-sys-req-26-sandbox-escape-prevention)
- [Assessment: SYS-REQ-27 (Speculative execution mitigations)](#assessment-sys-req-27-speculative-execution-mitigations)
- [Assessment: SYS-REQ-28 (Side-channel attack mitigations)](#assessment-sys-req-28-side-channel-attack-mitigations)
- [Assessment: SYS-REQ-29 (Hardware token security)](#assessment-sys-req-29-hardware-token-security)
- [Assessment: SYS-REQ-30 (Accessibility API security)](#assessment-sys-req-30-accessibility-api-security)
- [Assessment: SYS-REQ-31 (Native messaging restrictions)](#assessment-sys-req-31-native-messaging-restrictions)
- [Assessment: SYS-REQ-32 (Host OS integration security)](#assessment-sys-req-32-host-os-integration-security)
- [Assessment: SYS-REQ-33 (Block all device API access at SYS-0)](#assessment-sys-req-33-block-all-device-api-access-at-sys-0)
- [Assessment: SYS-REQ-34 (Block native messaging interfaces at SYS-0)](#assessment-sys-req-34-block-native-messaging-interfaces-at-sys-0)
- [Assessment: SYS-REQ-35 (Block host OS integration at SYS-0)](#assessment-sys-req-35-block-host-os-integration-at-sys-0)
- [Assessment: SYS-REQ-36 (PWA permission scope restrictions)](#assessment-sys-req-36-pwa-permission-scope-restrictions)
- [Assessment: SYS-REQ-37 (PWA installation permission restrictions)](#assessment-sys-req-37-pwa-installation-permission-restrictions)
- [Assessment: SYS-REQ-38 (PWA uninstallation permission revocation)](#assessment-sys-req-38-pwa-uninstallation-permission-revocation)
- [Assessment: SYS-REQ-39 (PWA permission audit logging)](#assessment-sys-req-39-pwa-permission-audit-logging)
- [Assessment: SYS-REQ-40 (Enterprise PWA permission policy controls)](#assessment-sys-req-40-enterprise-pwa-permission-policy-controls)
- [Assessment: SYS-REQ-41 (Native-equivalent API access controls at SYS-3)](#assessment-sys-req-41-native-equivalent-api-access-controls-at-sys-3)
- [Assessment: SYS-REQ-42 (Transparent UI for native integration at SYS-3)](#assessment-sys-req-42-transparent-ui-for-native-integration-at-sys-3)
- [Assessment: SYS-REQ-43 (Security warnings for privileged API access at SYS-3)](#assessment-sys-req-43-security-warnings-for-privileged-api-access-at-sys-3)
- [Assessment: SYS-REQ-44 (Extended system access audit logging at SYS-3)](#assessment-sys-req-44-extended-system-access-audit-logging-at-sys-3)
- [Assessment: SYS-REQ-45 (User permission review and revocation at SYS-3)](#assessment-sys-req-45-user-permission-review-and-revocation-at-sys-3)
- [Assessment: SYS-REQ-46 (Enterprise restriction of native-equivalent features at SYS-3)](#assessment-sys-req-46-enterprise-restriction-of-native-equivalent-features-at-sys-3)
- [Assessment: SYS-REQ-47 (Native integration audit documentation at SYS-3)](#assessment-sys-req-47-native-integration-audit-documentation-at-sys-3)
- [6.8 Embedded Browser Security Assessments](#68-embedded-browser-security-assessments)
- [Assessment: EMB-REQ-1 (JavaScript bridge API allowlists)](#assessment-emb-req-1-javascript-bridge-api-allowlists)
- [Assessment: EMB-REQ-2 (JavaScript bridge input validation)](#assessment-emb-req-2-javascript-bridge-input-validation)
- [Assessment: EMB-REQ-3 (JavaScript bridge logging)](#assessment-emb-req-3-javascript-bridge-logging)
- [Assessment: EMB-REQ-4 (Context isolation)](#assessment-emb-req-4-context-isolation)
- [Assessment: EMB-REQ-5 (User consent for sensitive APIs)](#assessment-emb-req-5-user-consent-for-sensitive-apis)
- [Assessment: EMB-REQ-6 (No system-level API exposure without controls)](#assessment-emb-req-6-no-system-level-api-exposure-without-controls)
- [Assessment: EMB-REQ-7 (Immutable bridge configuration)](#assessment-emb-req-7-immutable-bridge-configuration)
- [Assessment: EMB-REQ-8 (Host credential protection)](#assessment-emb-req-8-host-credential-protection)
- [Assessment: EMB-REQ-9 (JavaScript bridge security review)](#assessment-emb-req-9-javascript-bridge-security-review)
- [Assessment: EMB-REQ-10 (Bridge API rate limiting)](#assessment-emb-req-10-bridge-api-rate-limiting)
- [Assessment: EMB-REQ-11 (Granular capability-based permissions)](#assessment-emb-req-11-granular-capability-based-permissions)
- [Assessment: EMB-REQ-12 (Storage isolation from host)](#assessment-emb-req-12-storage-isolation-from-host)
- [Assessment: EMB-REQ-13 (CSP enforcement for embedded content)](#assessment-emb-req-13-csp-enforcement-for-embedded-content)
- [Assessment: EMB-REQ-14 (Encrypted cross-process bridge)](#assessment-emb-req-14-encrypted-cross-process-bridge)
- [Assessment: EMB-REQ-15 (Native UI overlay prevention)](#assessment-emb-req-15-native-ui-overlay-prevention)
- [Assessment: EMB-REQ-16 (API surface allowlisting over denylisting)](#assessment-emb-req-16-api-surface-allowlisting-over-denylisting)
- [Assessment: EMB-REQ-17 (Certificate validation for remote content)](#assessment-emb-req-17-certificate-validation-for-remote-content)
- [Assessment: EMB-REQ-18 (Trusted origin allowlisting)](#assessment-emb-req-18-trusted-origin-allowlisting)
- [Assessment: EMB-REQ-19 (Subresource Integrity for external scripts)](#assessment-emb-req-19-subresource-integrity-for-external-scripts)
- [Assessment: EMB-REQ-20 (Certificate pinning with backup pins)](#assessment-emb-req-20-certificate-pinning-with-backup-pins)
- [Assessment: EMB-REQ-21 (Mixed content prevention)](#assessment-emb-req-21-mixed-content-prevention)
- [Assessment: EMB-REQ-22 (Trust decision logging)](#assessment-emb-req-22-trust-decision-logging)
- [Assessment: EMB-REQ-23 (Cryptographic signature verification for local content)](#assessment-emb-req-23-cryptographic-signature-verification-for-local-content)
- [Assessment: EMB-REQ-24 (Redirect chain trust enforcement)](#assessment-emb-req-24-redirect-chain-trust-enforcement)
- [Assessment: EMB-REQ-25 (HSTS enforcement for trusted origins)](#assessment-emb-req-25-hsts-enforcement-for-trusted-origins)
- [Assessment: EMB-REQ-26 (Certificate validation failure notification)](#assessment-emb-req-26-certificate-validation-failure-notification)
- [Assessment: EMB-REQ-27 (Network security configuration)](#assessment-emb-req-27-network-security-configuration)
- [Assessment: EMB-REQ-28 (CSP enforcement for third-party content)](#assessment-emb-req-28-csp-enforcement-for-third-party-content)
- [Assessment: EMB-REQ-29 (Per-instance trust policies)](#assessment-emb-req-29-per-instance-trust-policies)
- [Assessment: EMB-REQ-30 (Certificate Transparency verification)](#assessment-emb-req-30-certificate-transparency-verification)
- [Assessment: EMB-REQ-31 (DNS rebinding attack prevention)](#assessment-emb-req-31-dns-rebinding-attack-prevention)
- [Assessment: EMB-REQ-32 (Trust boundary violation security events)](#assessment-emb-req-32-trust-boundary-violation-security-events)
- [Assessment: EMB-REQ-33 (Block web content access to host application objects at EMB-0)](#assessment-emb-req-33-block-web-content-access-to-host-application-objects-at-emb-0)
- [Assessment: EMB-REQ-34 (No JavaScript bridge exposure at EMB-0)](#assessment-emb-req-34-no-javascript-bridge-exposure-at-emb-0)
- [Assessment: EMB-REQ-35 (Treat all content as untrusted at EMB-0)](#assessment-emb-req-35-treat-all-content-as-untrusted-at-emb-0)
- [Assessment: EMB-REQ-36 (Allowlist-only bridge API access at EMB-1)](#assessment-emb-req-36-allowlist-only-bridge-api-access-at-emb-1)
- [Assessment: EMB-REQ-37 (Minimal and documented bridge API allowlist at EMB-1)](#assessment-emb-req-37-minimal-and-documented-bridge-api-allowlist-at-emb-1)
- [Assessment: EMB-REQ-38 (Bidirectional bridge security controls at EMB-2)](#assessment-emb-req-38-bidirectional-bridge-security-controls-at-emb-2)
- [Assessment: EMB-REQ-39 (Web content callback handler validation at EMB-2)](#assessment-emb-req-39-web-content-callback-handler-validation-at-emb-2)
- [Assessment: EMB-REQ-40 (Bridge message queuing with integrity protection at EMB-2)](#assessment-emb-req-40-bridge-message-queuing-with-integrity-protection-at-emb-2)
- [Assessment: EMB-REQ-41 (Bridge traffic anomaly monitoring at EMB-2)](#assessment-emb-req-41-bridge-traffic-anomaly-monitoring-at-emb-2)
- [Assessment: EMB-REQ-42 (Enterprise bridge API policy configuration at EMB-2)](#assessment-emb-req-42-enterprise-bridge-api-policy-configuration-at-emb-2)
- [Assessment: EMB-REQ-43 (Core security boundaries preserved at EMB-3)](#assessment-emb-req-43-core-security-boundaries-preserved-at-emb-3)
- [Assessment: EMB-REQ-44 (User awareness of native capabilities at EMB-3)](#assessment-emb-req-44-user-awareness-of-native-capabilities-at-emb-3)
- [Assessment: EMB-REQ-45 (User permission review and revocation at EMB-3)](#assessment-emb-req-45-user-permission-review-and-revocation-at-emb-3)
- [Assessment: EMB-REQ-46 (Native integration audit documentation at EMB-3)](#assessment-emb-req-46-native-integration-audit-documentation-at-emb-3)
- [Assessment: EMB-REQ-47 (Enterprise native integration restrictions at EMB-3)](#assessment-emb-req-47-enterprise-native-integration-restrictions-at-emb-3)
- [Assessment: EMB-REQ-48 (No privileged content origin access)](#assessment-emb-req-48-no-privileged-content-origin-access)
- [Assessment: EMB-REQ-49 (Strict CSP enforcement without exceptions)](#assessment-emb-req-49-strict-csp-enforcement-without-exceptions)
- [Assessment: EMB-REQ-50 (Trust allowlist immutability)](#assessment-emb-req-50-trust-allowlist-immutability)
- [Assessment: EMB-REQ-51 (All EMB-1 requirements implemented)](#assessment-emb-req-51-all-emb-1-requirements-implemented)
- [Assessment: EMB-REQ-52 (Pin configuration immutability)](#assessment-emb-req-52-pin-configuration-immutability)
- [Assessment: EMB-REQ-53 (Pinning violation blocking)](#assessment-emb-req-53-pinning-violation-blocking)
- [Assessment: EMB-REQ-54 (Pin rotation documentation and testing)](#assessment-emb-req-54-pin-rotation-documentation-and-testing)
- [Assessment: EMB-REQ-55 (EMB-1 certificate validation baseline for remote content)](#assessment-emb-req-55-emb-1-certificate-validation-baseline-for-remote-content)
- [Assessment: EMB-REQ-56 (Secure local content signature algorithms)](#assessment-emb-req-56-secure-local-content-signature-algorithms)
- [Assessment: EMB-REQ-57 (Modified local content rejection)](#assessment-emb-req-57-modified-local-content-rejection)
- [Assessment: EMB-REQ-58 (Signing key protection from extraction)](#assessment-emb-req-58-signing-key-protection-from-extraction)
- [Assessment: EMB-REQ-59 (Hybrid deployment strictest controls)](#assessment-emb-req-59-hybrid-deployment-strictest-controls)
- [6.9 Remote Data Processing Systems Security Assessments](#69-remote-data-processing-systems-security-assessments)
- [Assessment: RDPS-REQ-1 (Offline functionality documentation)](#assessment-rdps-req-1-offline-functionality-documentation)
- [Assessment: RDPS-REQ-2 (Data classification and inventory)](#assessment-rdps-req-2-data-classification-and-inventory)
- [Assessment: RDPS-REQ-3 (Data criticality classification)](#assessment-rdps-req-3-data-criticality-classification)
- [Assessment: RDPS-REQ-4 (TLS 1.3 encryption for data transmission)](#assessment-rdps-req-4-tls-13-encryption-for-data-transmission)
- [Assessment: RDPS-REQ-5 (RDPS endpoint certificate validation)](#assessment-rdps-req-5-rdps-endpoint-certificate-validation)
- [Assessment: RDPS-REQ-6 (Retry mechanisms with exponential backoff)](#assessment-rdps-req-6-retry-mechanisms-with-exponential-backoff)
- [Assessment: RDPS-REQ-7 (Local data caching for offline operation)](#assessment-rdps-req-7-local-data-caching-for-offline-operation)
- [Assessment: RDPS-REQ-8 (Secure authentication for RDPS access)](#assessment-rdps-req-8-secure-authentication-for-rdps-access)
- [Assessment: RDPS-REQ-9 (Certificate pinning for RDPS)](#assessment-rdps-req-9-certificate-pinning-for-rdps)
- [Assessment: RDPS-REQ-10 (RDPS connection timeout controls)](#assessment-rdps-req-10-rdps-connection-timeout-controls)
- [Assessment: RDPS-REQ-11 (RDPS connectivity failure logging)](#assessment-rdps-req-11-rdps-connectivity-failure-logging)
- [Assessment: RDPS-REQ-12 (Graceful functionality degradation when RDPS unavailable)](#assessment-rdps-req-12-graceful-functionality-degradation-when-rdps-unavailable)
- [Assessment: RDPS-REQ-13 (Credentials protection from RDPS exposure)](#assessment-rdps-req-13-credentials-protection-from-rdps-exposure)
- [Assessment: RDPS-REQ-14 (RDPS request rate limiting)](#assessment-rdps-req-14-rdps-request-rate-limiting)
- [Assessment: RDPS-REQ-15 (RDPS data validation before processing)](#assessment-rdps-req-15-rdps-data-validation-before-processing)
- [Assessment: RDPS-REQ-16 (Data at rest encryption in RDPS storage)](#assessment-rdps-req-16-data-at-rest-encryption-in-rdps-storage)
- [Assessment: RDPS-REQ-17 (Mutual TLS authentication for RDPS)](#assessment-rdps-req-17-mutual-tls-authentication-for-rdps)
- [Assessment: RDPS-REQ-18 (Redundant data copies for recovery)](#assessment-rdps-req-18-redundant-data-copies-for-recovery)
- [Assessment: RDPS-REQ-19 (Data recovery from backups with integrity verification)](#assessment-rdps-req-19-data-recovery-from-backups-with-integrity-verification)
- [Assessment: RDPS-REQ-20 (Data retention policies with secure deletion)](#assessment-rdps-req-20-data-retention-policies-with-secure-deletion)
- [Assessment: RDPS-REQ-21 (Per-user per-origin access controls)](#assessment-rdps-req-21-per-user-per-origin-access-controls)
- [Assessment: RDPS-REQ-22 (RDPS access and modification auditing)](#assessment-rdps-req-22-rdps-access-and-modification-auditing)
- [Assessment: RDPS-REQ-23 (Data integrity verification using cryptographic hashes)](#assessment-rdps-req-23-data-integrity-verification-using-cryptographic-hashes)
- [Assessment: RDPS-REQ-24 (RDPS endpoint substitution attack protection)](#assessment-rdps-req-24-rdps-endpoint-substitution-attack-protection)
- [Assessment: RDPS-REQ-25 (Replay attack defense for RDPS communications)](#assessment-rdps-req-25-replay-attack-defense-for-rdps-communications)
- [Assessment: RDPS-REQ-26 (Data minimization principles for RDPS transmissions)](#assessment-rdps-req-26-data-minimization-principles-for-rdps-transmissions)
- [Assessment: RDPS-REQ-27 (User controls for RDPS data synchronization)](#assessment-rdps-req-27-user-controls-for-rdps-data-synchronization)
- [Assessment: RDPS-REQ-28 (Secure data export from RDPS for data portability)](#assessment-rdps-req-28-secure-data-export-from-rdps-for-data-portability)
- [Assessment: RDPS-REQ-29 (User-configurable RDPS endpoint security settings)](#assessment-rdps-req-29-user-configurable-rdps-endpoint-security-settings)
- [Assessment: RDPS-REQ-30 (RDPS service availability verification before critical operations)](#assessment-rdps-req-30-rdps-service-availability-verification-before-critical-operations)
- [Assessment: RDPS-REQ-31 (Connection pooling with security controls for RDPS)](#assessment-rdps-req-31-connection-pooling-with-security-controls-for-rdps)
- [Assessment: RDPS-REQ-32 (RDPS authentication token protection from extraction and theft)](#assessment-rdps-req-32-rdps-authentication-token-protection-from-extraction-and-theft)
- [Assessment: RDPS-REQ-33 (End-to-end encryption for all critical data in RDPS)](#assessment-rdps-req-33-end-to-end-encryption-for-all-critical-data-in-rdps)
- [Assessment: RDPS-REQ-34 (Hardware-backed key storage for RDPS encryption keys)](#assessment-rdps-req-34-hardware-backed-key-storage-for-rdps-encryption-keys)
- [Assessment: RDPS-REQ-35 (High-availability RDPS architecture with failover)](#assessment-rdps-req-35-high-availability-rdps-architecture-with-failover)
- [Assessment: RDPS-REQ-36 (RDPS disaster recovery procedures documentation and testing)](#assessment-rdps-req-36-rdps-disaster-recovery-procedures-documentation-and-testing)
- [Assessment: RDPS-REQ-37 (Real-time RDPS integrity monitoring)](#assessment-rdps-req-37-real-time-rdps-integrity-monitoring)
- [Assessment: RDPS-REQ-38 (RDPS security event logging with SIEM integration)](#assessment-rdps-req-38-rdps-security-event-logging-with-siem-integration)
- [Assessment: RDPS-REQ-39 (Geographic data residency requirements enforcement)](#assessment-rdps-req-39-geographic-data-residency-requirements-enforcement)
- [Assessment: RDPS-REQ-40 (Zero-trust architecture for RDPS access)](#assessment-rdps-req-40-zero-trust-architecture-for-rdps-access)
- [Assessment: RDPS-REQ-41 (Regulatory compliance logging for RDPS operations)](#assessment-rdps-req-41-regulatory-compliance-logging-for-rdps-operations)
- [Assessment: RDPS-REQ-42 (Automated RDPS security scanning and vulnerability detection)](#assessment-rdps-req-42-automated-rdps-security-scanning-and-vulnerability-detection)
- [Assessment: RDPS-REQ-43 (Cryptographic proof of RDPS data integrity)](#assessment-rdps-req-43-cryptographic-proof-of-rdps-data-integrity)
- [Assessment: RDPS-REQ-44 (Secure multi-tenancy with data isolation in RDPS)](#assessment-rdps-req-44-secure-multi-tenancy-with-data-isolation-in-rdps)
- [Assessment: RDPS-REQ-45 (RDPS security incident response procedures)](#assessment-rdps-req-45-rdps-security-incident-response-procedures)
- [Assessment: RDPS-REQ-46 (RDPS access revocation mechanisms)](#assessment-rdps-req-46-rdps-access-revocation-mechanisms)
- [Assessment: RDPS-REQ-47 (RDPS transparency reporting for data access)](#assessment-rdps-req-47-rdps-transparency-reporting-for-data-access)
- [Assessment: RDPS-REQ-48 (Forward secrecy for RDPS communications)](#assessment-rdps-req-48-forward-secrecy-for-rdps-communications)
- [Assessment: RDPS-REQ-49 (User notification of RDPS security events)](#assessment-rdps-req-49-user-notification-of-rdps-security-events)
- [Assessment: RDPS-REQ-50 (Service discontinuation and data migration documentation)](#assessment-rdps-req-50-service-discontinuation-and-data-migration-documentation)
- [Assessment: RDPS-REQ-51 (Enterprise administrator RDPS security policy configuration)](#assessment-rdps-req-51-enterprise-administrator-rdps-security-policy-configuration)
- [Assessment: RDPS-REQ-52 (Fully offline browser operation without remote connectivity)](#assessment-rdps-req-52-fully-offline-browser-operation-without-remote-connectivity)
- [Assessment: RDPS-REQ-53 (All user data stored locally without remote synchronization)](#assessment-rdps-req-53-all-user-data-stored-locally-without-remote-synchronization)
- [Assessment: RDPS-REQ-54 (No telemetry, diagnostics, or usage data transmission)](#assessment-rdps-req-54-no-telemetry-diagnostics-or-usage-data-transmission)
- [Assessment: RDPS-REQ-55 (No degradation when network connectivity unavailable)](#assessment-rdps-req-55-no-degradation-when-network-connectivity-unavailable)
- [Assessment: RDPS-REQ-56 (No remote authentication or authorization services required)](#assessment-rdps-req-56-no-remote-authentication-or-authorization-services-required)
- [Assessment: RDPS-REQ-57 (Local-only operation capabilities and limitations documentation)](#assessment-rdps-req-57-local-only-operation-capabilities-and-limitations-documentation)
- [Assessment: RDPS-REQ-58 (User notification that no data leaves local system)](#assessment-rdps-req-58-user-notification-that-no-data-leaves-local-system)
- [Assessment: RDPS-REQ-59 (All RDPS-1 requirements implemented for RDPS-2)](#assessment-rdps-req-59-all-rdps-1-requirements-implemented-for-rdps-2)
- [Assessment: RDPS-REQ-60 (All RDPS-2 requirements implemented for RDPS-3)](#assessment-rdps-req-60-all-rdps-2-requirements-implemented-for-rdps-3)
- [Annex A (informative): Mapping between the present document and CRA requirements](#annex-a-informative-mapping-between-the-present-document-and-cra-requirements)
- [Annex B (informative): Mapping of Use Cases to Capabilities and Requirements](#annex-b-informative-mapping-of-use-cases-to-capabilities-and-requirements)
- [B.1 Use Case Mapping Methodology](#b1-use-case-mapping-methodology)
- [B.2 Use Case to Capability Mappings](#b2-use-case-to-capability-mappings)
- [UC-B1: General Purpose Web Browsing (Risk Level: Standard)](#uc-b1-general-purpose-web-browsing-risk-level-standard)
- [UC-B2: Development and Testing Environments (Risk Level: High)](#uc-b2-development-and-testing-environments-risk-level-high)
- [UC-B3: Kiosks and Shared Terminals (Risk Level: High)](#uc-b3-kiosks-and-shared-terminals-risk-level-high)
- [UC-B4: Financial Services Access (Risk Level: High)](#uc-b4-financial-services-access-risk-level-high)
- [UC-B5: Healthcare and Medical Systems (Risk Level: High)](#uc-b5-healthcare-and-medical-systems-risk-level-high)
- [UC-B6: E-Government Services Access (Risk Level: High)](#uc-b6-e-government-services-access-risk-level-high)
- [UC-B7: Enterprise Applications (Risk Level: High)](#uc-b7-enterprise-applications-risk-level-high)
- [UC-B8: Critical Infrastructure (Risk Level: CRITICAL)](#uc-b8-critical-infrastructure-risk-level-critical)
- [UC-B9: Security Research (Risk Level: CRITICAL)](#uc-b9-security-research-risk-level-critical)
- [UC-B10: Adapted Browser with Modified Features (Risk Level: Standard to High)](#uc-b10-adapted-browser-with-modified-features-risk-level-standard-to-high)
- [UC-B11: Desktop Applications with Embedded Browser Navigation (Risk Level: High)](#uc-b11-desktop-applications-with-embedded-browser-navigation-risk-level-high)
- [UC-B12: Super-App Platforms (Risk Level: High)](#uc-b12-super-app-platforms-risk-level-high)
- [B.3 Capability Condition Level Selection Guide](#b3-capability-condition-level-selection-guide)
- [B.4 Cross-Reference to Assessments](#b4-cross-reference-to-assessments)
- [B.5 Remote Data Processing Systems (RDPS) Mapping](#b5-remote-data-processing-systems-rdps-mapping)
- [RDPS-0: No Remote Data Processing (Fully Local Operation)](#rdps-0-no-remote-data-processing-fully-local-operation)
- [RDPS-1: Limited Remote Processing (Non-Sensitive Data)](#rdps-1-limited-remote-processing-non-sensitive-data)
- [RDPS-2: Extended Remote Processing (Sensitive Data)](#rdps-2-extended-remote-processing-sensitive-data)
- [RDPS-3: Full Remote Processing (Critical Data - Maximum Security)](#rdps-3-full-remote-processing-critical-data---maximum-security)
- [RDPS Capability Selection Matrix by Use Case](#rdps-capability-selection-matrix-by-use-case)
- [Annex C (informative): Relationship between the present document and related standards](#annex-c-informative-relationship-between-the-present-document-and-related-standards)
- [C.1 European Standards and Regulations](#c1-european-standards-and-regulations)
- [C.1.1 Cyber Resilience Act (EU) 2024/...](#c11-cyber-resilience-act-eu-2024)
- [C.1.2 General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679](#c12-general-data-protection-regulation-gdpr---regulation-eu-2016679)
- [C.1.3 eIDAS Regulation - Regulation (EU) No 910/2014](#c13-eidas-regulation---regulation-eu-no-9102014)
- [C.1.4 NIS2 Directive - Directive (EU) 2022/2555](#c14-nis2-directive---directive-eu-20222555)
- [C.2 ISO/IEC International Standards](#c2-isoiec-international-standards)
- [C.2.1 ISO/IEC 27001 - Information Security Management Systems](#c21-isoiec-27001---information-security-management-systems)
- [C.2.2 ISO/IEC 27017 - Cloud Services Information Security](#c22-isoiec-27017---cloud-services-information-security)
- [C.2.3 ISO/IEC 27018 - Protection of PII in Public Clouds](#c23-isoiec-27018---protection-of-pii-in-public-clouds)
- [C.2.4 ISO/IEC 27035 - Information Security Incident Management](#c24-isoiec-27035---information-security-incident-management)
- [C.2.5 ISO/IEC 29147 - Vulnerability Disclosure](#c25-isoiec-29147---vulnerability-disclosure)
- [C.2.6 ISO 22301 - Business Continuity Management](#c26-iso-22301---business-continuity-management)
- [C.2.7 ISO 8601 - Date and Time Format](#c27-iso-8601---date-and-time-format)
- [C.3 Related ETSI Standards](#c3-related-etsi-standards)
- [C.4 Relationship to Other Standards Bodies](#c4-relationship-to-other-standards-bodies)
- [C.4.1 W3C Web Standards](#c41-w3c-web-standards)
- [C.4.2 WHATWG Standards](#c42-whatwg-standards)
- [C.4.3 IETF Standards](#c43-ietf-standards)
- [C.5 Industry Security Frameworks](#c5-industry-security-frameworks)
- [C.5.1 CIS Benchmarks](#c51-cis-benchmarks)
- [C.5.2 NIST Cybersecurity Framework](#c52-nist-cybersecurity-framework)
- [Annex D (informative): Risk identification and assessment methodology](#annex-d-informative-risk-identification-and-assessment-methodology)
- [D.1 Assets](#d1-assets)
- [D.1.1 Data](#d11-data)
- [D.1.2 Product functions](#d12-product-functions)
- [D.2 Threats](#d2-threats)
- [D.3 Assumptions](#d3-assumptions)
- [D.4 Risk assessments of threats](#d4-risk-assessments-of-threats)
- [Annex E (informative): Risk evaluation guidance](#annex-e-informative-risk-evaluation-guidance)
- [E.1 Mapping of risks to requirements](#e1-mapping-of-risks-to-requirements)
- [E.2 Risks not treated by the requirements](#e2-risks-not-treated-by-the-requirements)
- [E.3 Risk acceptance criteria](#e3-risk-acceptance-criteria)
- [E.4 Residual risks](#e4-residual-risks)
- [Annex K](#annex-k)
- [Annex L (informative): Relationship between the present document and the requirements of EU Regulation 2024/2847](#annex-l-informative-relationship-between-the-present-document-and-the-requirements-of-eu-regulation-20242847)
- [Annex : Change history](#annex--change-history)
- [History](#history)
<br />
# Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations pertaining to these essential IPRs, if any, are publicly available for **ETSI members and non-members** , and can be found in ETSI SR 000 314: _"Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in respect of ETSI standards"_ , which is available from the ETSI Secretariat. Latest updates are available on the [ETSI IPR online database](https://ipr.etsi.org/).
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs, including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become, essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners. ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
**DECT™**, **PLUGTESTS™**, **UMTS™** and the ETSI logo are trademarks of ETSI registered for the benefit of its Members. **3GPP™**, **LTE™** and **5G™** logo are trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. **oneM2M™** logo is a trademark of ETSI registered for the benefit of its Members and of the oneM2M Partners. **GSM®** and the GSM logo are trademarks registered and owned by the GSM Association.
# Foreword
> DRAFT FOREWORD - DO NOT CONSIDER THE CONTENT
This draft Harmonised European Standard (EN) has been produced by ETSI Technical Committee Cyber Working Group for EUSR (CYBER-EUSR), and is now submitted for the combined Public Enquiry and Vote phase of the ETSI Standardisation Request deliverable Approval Procedure (SRdAP).
```
The present document has been prepared under the Commission's standardisation request C(2025) 618 final to provide one voluntary means of conforming to the requirements of Regulation (EU) No 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) No 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
```
Once the present document is cited in the Official Journal of the European Union under that Regulation, compliance with the normative clauses of the present document given in table A.1 confers, within the limits of the scope of the present document, a presumption of conformity with the corresponding requirements of that Regulation and associated EFTA regulations.
Transposition table
The Harmonised Standard shall have appropriate transposition periods specified. A Harmonised Standard confers presumption of conformity when it has been published in the Official Journal of the European Union (OJEU) and transposed by a member state.
The Technical Body may propose different dates to the default ones (3, 6, 18). Technical Bodies who wish to propose different dates are advised to indicate this clearly in the approved committee draft.
| Proposed national transposition dates | |
|----------------------------------------------------------------|---------------------------------|
| Date of latest announcement of this EN (doa): | 3 months after ETSI publication |
| Date of latest publication of new National Standard | |
| or endorsement of this EN (dop/e): | 6 months after doa |
| Date of withdrawal of any conflicting National Standard (dow): | 18 months after doa |
The Technical Body should advise the ETSI Secretariat if the above default national transposition dates are inappropriate for the particular standard.
# Modal verbs terminology
In the present document "**should** ", "**should not** ", "**may** ", "**need not** ", "**will** ", "**will not** ", "**can** " and "**cannot** " are to be interpreted as described in clause 3.2 of the [ETSI Drafting Rules](https://portal.etsi.org/Services/editHelp/How-to-start/ETSI-Drafting-Rules) (Verbal forms for the expression of provisions).
"**must** " and "**must not** " are **NOT** allowed in ETSI deliverables except when used in direct citation.
# Executive summary
Browsers represent one of the most complex and security-critical software products in modern computing, serving as the primary gateway between users and internet resources while processing untrusted content from millions of sources daily. The browser's architecture encompasses multiple interconnected subsystems - including rendering engines, JavaScript/WebAssembly execution environments, network stacks, and extension frameworks, each presenting distinct attack surfaces that shall be defended while maintaining performance, compatibility with legacy web content, and user autonomy.
Unlike traditional security products that can enforce restrictive controls, browsers shall balance protection against an evolving threat landscape with respect for user choice, creating unique challenges where users may deliberately choose to visit malicious sites, install risky extensions, or disable security features. The browser's multi-layered trust model, spanning from the highly privileged browser core through semi-trusted extensions to completely untrusted web content, requires sophisticated isolation mechanisms, granular permission systems, and careful mediation of system resource access.
Given browsers' ubiquitous deployment across consumer, enterprise, and specialized environments, their role as platforms for Progressive Web Applications, and their position as primary targets for nation-state and criminal actors, establishing proportionate security requirements under the Cyber Resilience Act demands careful consideration of the inherent tensions between security, functionality, performance, and user agency that define the modern web browsing experience.
# Introduction
This European harmonised standard defines cybersecurity requirements applicable to browsers.
This document will provide security requirements and assessment criteria covering all elements defined in CRA Annex I Part 1 and Part 2 for stand alone browsers, as mentioned in CRA Annex III Class I important products.
This work item intends to produce an EN as candidate for harmonisation, under the standardisation request in support of the implementation of the CRA (M/606).
<br />
# 1 Scope
This standard focuses on browsers, both standalone and embedded. Browsers are software products with digital elements that enable end users to access and interact with web content hosted on servers that are connected to local and remote networks.
Within the context of an operating system, browsers are user-applications with a primary function and probable daily use. They are often leveraged as means of accessing remote authentication (single-sign-on) or even as a bridge (deep-link) to another application that has already been installed. In both cases, all systems have the notion of a “default browser” that can then be instrumented by other applications to navigate to a website or perform such an activity.
The activity of browsing can be defined in the following steps:
1. A machine accesses remote resources and source code, such as HTML, JavaScript/WebAssembly, and CSS.
2. This source is represented visually, acoustically, or in some other form.
3. The user interacts with the rendered representation through input and output interfaces, including visual observation, text entry, pointer interaction, or other supported input modalities.
## 1.1 Browser
### 1.1.1 Standalone
Standalone browsers are applications that fulfil the functions of browsing.
Web browsers are software applications that access, retrieve, and interact with information and resources addressed by URLs. A standalone browser may be used for everyday tasks such as reading email, managing a calendar, or consuming the news.
Such programs commonly have interfaces for managing multiple websites, browsing history, bookmarks, user identities, passwords, and other settings.
They can commonly be extended with browser extensions, which are products with digital elements that have the ability to read, store, and modify the websites that users interact with.
### 1.1.2 Embedded
Embedded browsers are browsing services that are integrated into another system or application.
As such, they are programs using the same baseline technology of browsing but are commonly used for “single purpose” browsing. This means that instead of opening the user’s preferred standalone browser, the hosting application will open an embedded browser to keep the user’s attention. It is not common for a user to be able to change the configuration of an embedded browser.
### 1.1.3 Progressive Web Apps (PWA)
Progressive Web Apps are web applications that can be installed to a user's device from a standalone browser and subsequently operate in a dedicated application-like context.
PWAs leverage browser capabilities including service workers, application manifests, and isolated storage to provide offline functionality, push notifications, and integration with operating system features such as the application launcher and task switcher. When installed, they execute within the browser's process architecture but present themselves to the user as distinct applications with their own windows, icons, and settings.
Unlike traditional web pages, installed PWAs maintain separate configuration contexts from the main browser, including distinct storage partitions, permission grants, and display modes. They may register custom protocol handlers, manage their own cache strategies through service workers, and receive operating system events such as share targets or file handlers. Despite this application-like presentation, PWAs remain fundamentally web applications subject to the same security boundaries and web platform APIs as content rendered in standard browser tabs.
### 1.1.4 Browser Extensions
Browser extensions are third-party software components that integrate with and extend the functionality of standalone browsers.
Extensions operate with elevated privileges compared to standard web content, enabling them to intercept and modify network requests, inject scripts into web pages, access cross-origin resources, interact with browser APIs, and persist data across browsing sessions. They are distributed through vendor-operated extension stores or side-loaded through developer modes, and are subject to varying degrees of review, validation, and ongoing monitoring depending on the browser vendor's policies.
Unlike web applications that execute within the constraints of the same-origin policy, extensions declare their required permissions through manifest files and, once granted, operate with capabilities that span multiple origins and browser contexts. They may consist of background scripts or service workers for persistent logic, content scripts that execute within web page contexts, popup interfaces, options pages, and other components. The security model of extensions creates a unique trust boundary where extensions act as intermediaries between the browser core and web content, requiring careful permission management, isolation mechanisms, and code signing to prevent abuse while enabling legitimate functionality enhancements.
## 1.2 Derivative Browsers and Manufacturer Obligations
A significant proportion of browsers placed on the market are derivative products based on open source browser engines or substantially complete browser implementations. Understanding the manufacturer's obligations for such derivative products is essential to the proportionate application of this standard.
### 1.2.1 Open Source Browser Engines and Derivative Products
Open source browser projects such as Chromium, Gecko (Firefox), and WebKit provide complete or near-complete browser implementations that serve as the foundation for derivative products. These upstream projects are stewarded by organizations that maintain the core rendering engines, JavaScript execution environments, network stacks, and security architectures, but the projects themselves do not constitute products placed on the EU market with CE marking.
When an economic operator takes such an open source project, applies modifications (whether substantial or minor), and places the resulting browser on the market under their own brand or distribution channel, that operator becomes a manufacturer under the Cyber Resilience Act <a name="_ref_i.1">[i.1]</a>. This classification applies regardless of the extent of modification - from minor branding and default configuration changes to substantial feature additions, custom user interfaces, or integration of proprietary services.
### 1.2.2 Spectrum of Derivative Modifications
Derivative browsers exist along a spectrum of modification, each with implications for conformity assessment:
**Minor Modifications**: Browsers that modify only branding elements, default search providers, homepage settings, bundled bookmarks, or visual themes while maintaining the upstream codebase's security architecture, update mechanisms, and core functionality. Examples include rebranded releases for specific markets or partnerships.
**Configuration-Level Modifications**: Browsers that alter default privacy settings, tracking protection levels, extension policies, or feature flags to differentiate the product while preserving the underlying implementation. Such modifications may strengthen or weaken security postures relative to the upstream project.
**Feature Additions**: Browsers that integrate additional capabilities such as built-in VPN services, cryptocurrency wallets, AI assistants, proprietary synchronization services, or vertical-specific toolbars. These additions create new attack surfaces and data processing considerations beyond those present in the upstream project.
**Architectural Modifications**: Browsers that modify process architecture, sandbox implementations, network request routing, certificate validation logic, or other security-critical components. Such changes may fundamentally alter the security properties inherited from the upstream project.
### 1.2.3 Manufacturer Responsibilities for Derivative Products
Economic operators placing derivative browsers on the market bear full manufacturer obligations under the CRA, regardless of their reliance on upstream security implementations. These obligations include:
**Security Requirement Compliance**: Demonstrating that the derivative product, in its modified form, satisfies the essential cybersecurity requirements of Annex I of the CRA. While manufacturers may rely on the security properties of unmodified upstream components, any modifications should be assessed for their impact on those security properties.
**Vulnerability Management**: Establishing processes to monitor both upstream security advisories and vulnerabilities specific to the manufacturer's modifications. Timely integration of upstream security patches is a critical manufacturer responsibility, as delays in patch integration extend the exposure window for known vulnerabilities affecting end users.
**Conformity Assessment**: Conducting or commissioning technical assessments that address both the inherited security properties from the upstream project and the security implications of the manufacturer's specific modifications. The assessment should consider whether modifications have weakened, maintained, or strengthened the security posture.
**Technical Documentation**: Maintaining documentation that clearly delineates which components are inherited from the upstream project versus manufacturer modifications, security reviews conducted on modifications, processes for integrating upstream updates, and any divergences from upstream security defaults.
**Update Delivery**: Ensuring that security updates reach end users in a timely manner. For derivative browsers, this includes both the integration of upstream security patches into the manufacturer's codebase and the delivery of updated builds to end users through the manufacturer's distribution and update infrastructure.
### 1.2.4 Trust in Upstream Security Implementations
Manufacturers of derivative browsers commonly rely on the security implementations provided by upstream projects for foundational requirements such as TLS protocol implementation, cryptographic library usage, certificate validation, same-origin policy enforcement, and sandbox architecture. This reliance is reasonable provided that:
**Upstream Security Processes are Verifiable**: The upstream project demonstrates transparent security practices including public vulnerability disclosure, security-focused development processes, regular security audits, and timely patch releases.
**Modifications Do Not Undermine Upstream Security**: The manufacturer's changes do not bypass, weaken, or interfere with the security mechanisms inherited from the upstream project. For example, modifications that disable certificate validation, weaken content security policies, or reduce sandbox restrictions would constitute substantial security regressions requiring additional justification and compensating controls.
**Integration Timeliness is Maintained**: The manufacturer maintains a process to integrate upstream security patches within a reasonable timeframe. Extended delays between upstream patch availability and manufacturer distribution create unnecessary risk exposure for end users.
**Deviation Points are Documented and Assessed**: Where the manufacturer intentionally diverges from upstream security defaults (e.g., enabling features disabled upstream for security reasons, or modifying cryptographic configurations), these deviations are documented with security rationale and risk assessment.
### 1.2.5 Application of This Standard to Derivative Browsers
When applying the requirements of this standard to derivative browsers, manufacturers and assessors should consider:
**Inherited vs. Modified Components**: Requirements addressing components that remain unmodified from the upstream project may be satisfied by demonstrating that the upstream implementation meets the requirement, provided the manufacturer's integration does not interfere with that implementation.
**Modification-Specific Assessment**: Requirements addressing areas where the manufacturer has made modifications require direct assessment of those modifications. This includes manufacturer-added features, modified defaults, integrated services, and any changes to security-critical code paths.
**Update Mechanism Obligations**: Even where a manufacturer relies on the upstream project's update mechanism architecture, the manufacturer remains responsible for ensuring that updates reach end users. This includes operating update servers, signing update packages, managing update channels, and ensuring update delivery reliability.
**Use Case Alignment**: Derivative browsers should be assessed against the use cases (Chapter 4.4) that align with their intended deployment contexts. A derivative browser marketed for general consumer use would align with UC-B1, while one marketed for enterprise deployment with proprietary features would align with UC-B7, regardless of their shared upstream heritage.
Derivative browsers represent a practical and economically significant category of products within the browser market. This standard recognizes that reliance on well-maintained upstream security implementations is a valid engineering approach, while maintaining that manufacturers placing derivative products on the market retain full responsibility for the security properties of the products they distribute.
### 1.2.6 State of the Art: Industry Testing and Security Practices
The state of the art for browser development and security validation encompasses organizational practices, industry standards, and comprehensive testing regimes that manufacturers should demonstrate to establish the quality and security of their browser implementations, whether original or derivative.
**Organizational Practices and Resources**:
Reputable browser manufacturers, both upstream projects and derivative product vendors, demonstrate their commitment to security through:
- **Adequate staffing**: Employment of sufficient numbers of developers and security personnel with expertise in browser architecture, web standards, cryptography, and vulnerability research
- **Security-focused development**: Dedicated security teams, secure development lifecycle practices, code review processes, and security architecture oversight
- **Transparency and communication**: Public disclosure of security policies, vulnerability handling procedures, and regular security bulletins
- **User commitment**: Published statements of commitment to user security and privacy, including privacy policies, data handling practices, and user control mechanisms
- **Update cadence**: Regular release schedules for security updates and patches, with clear timelines for critical vulnerability remediation
**Industry Standards Compliance**:
Browsers are expected to comply with applicable industry standards including but not limited to:
- **Web standards**: W3C specifications (HTML, CSS, JavaScript/ECMAScript, DOM, Fetch, etc.), WHATWG living standards
- **Security standards**: IETF RFCs for TLS, HTTP, WebAuthn, and related protocols; CA/Browser Forum Baseline Requirements
- **Accessibility standards**: WCAG (Web Content Accessibility Guidelines), ARIA (Accessible Rich Internet Applications)
- **Privacy standards**: Do Not Track, Global Privacy Control, tracking protection standards
**Industry-Recognized Testing Frameworks**:
Browsers should undergo testing using recognized industry test suites and frameworks:
**Standards Conformance Tests**:
- **Web Platform Tests (WPT)**: Comprehensive cross-browser test suite maintained by W3C and browser vendors, with public dashboard available at https://wpt.fyi/ showing conformance across implementations
- **Test262**: Official ECMAScript conformance test suite maintained by Ecma TC39, verifying JavaScript/ECMAScript specification compliance
- **W3C Test Suites**: Individual test suites for specific W3C specifications (CSS Working Group tests, HTML5 tests, etc.)
- **Acid Tests**: Historical but influential browser standards compliance tests (Acid1, Acid2, Acid3) developed by the Web Standards Project
**Functional and Compatibility Testing**:
- **Selenium**: Open-source testing framework for browser automation, widely used for functional testing and regression testing across browsers
- **BrowserStack**: Cloud-based cross-browser testing platform enabling compatibility verification across browser versions, operating systems, and devices
- **Playwright/Puppeteer**: Modern browser automation and testing frameworks providing programmatic control for automated testing
**Security-Specific Testing and Validation**:
- **CA/Browser Forum participation**: Engagement with the CA/Browser Forum (https://cabforum.org/working-groups/server/charter/) which establishes baseline requirements for certificate authorities and browser trust store policies
- **TLS/Certificate validation testing**: Testing against standard certificate validation scenarios, revocation checking, and TLS protocol compliance
- **Vulnerability disclosure programs**: Participation in responsible disclosure programs, bug bounty programs, and coordinated vulnerability disclosure processes
- **Penetration testing**: Regular security assessments by internal security teams or external security researchers
**Standards Body Participation**:
Active participation in standards bodies demonstrates commitment to interoperability and security best practices:
- **W3C (World Wide Web Consortium)**: Participation in working groups defining web standards
- **WHATWG (Web Hypertext Application Technology Working Group)**: Collaboration on living standards for HTML, DOM, and related specifications
- **IETF (Internet Engineering Task Force)**: Engagement in protocol standardization (TLS, HTTP, WebRTC, etc.)
- **Ecma International**: Participation in ECMAScript (JavaScript) standardization through TC39
- **CA/Browser Forum**: Involvement in establishing requirements for certificate authorities and browser root programs
- **FIDO Alliance**: Participation in authentication standards development (WebAuthn, FIDO2)
**Implications for Derivative Browsers**:
Derivative browser manufacturers should demonstrate:
1. **Upstream testing inheritance**: Evidence that the upstream project undergoes comprehensive testing via WPT, Test262, and other industry-standard test suites, with results publicly available
2. **Modification testing**: Testing of manufacturer-specific modifications using appropriate test frameworks to ensure modifications do not introduce regressions or security vulnerabilities
3. **Integration testing**: Validation that the integration of upstream components with manufacturer additions maintains standards compliance and security properties
4. **Security review process**: Documentation of security review procedures for modifications, including code review, security testing, and vulnerability assessment
5. **Update testing**: Verification that upstream updates are tested before distribution to ensure compatibility with manufacturer modifications
Manufacturers may demonstrate compliance with industry testing practices by referencing:
- Publicly available test results on wpt.fyi or similar dashboards
- Participation in open-source testing efforts
- Documentation of testing methodologies and results
- Third-party security assessments or certifications
- Membership in relevant standards bodies and working groups
The state of the art represents a comprehensive approach to browser quality and security, combining organizational commitment, standards compliance, extensive automated testing, security-focused practices, and community engagement. Derivative browser manufacturers should demonstrate that their products meet or exceed these industry norms, either through inheritance from well-maintained upstream projects or through their own testing and validation processes.
# 2 References
## 2.1 Normative references
_**In Harmonised Standards these references shall be specific** (identified by date of publication and/or edition number or version number) **publicly available and in English, except in exceptional circumstances making sure that impacts have been evaluated and explanations have been given on how any negative implications should be avoided** . See clauses 2.10.1 and 8.4 of the [EDRs](EDRs) and the communiqué on "[References in ETSI Deliverables](https://portal.etsi.org/Portals/0/TBpages/edithelp/Docs/News_from_editHelp/References_in_ETSI_deliverables.pdf)"._
_Guidance for selecting normative references in harmonised standards is given in clause 2.8.3 of the Vademecum on European standardisation. Please **systematically consult with your Technical Officer** for the latest guidance on normative references other than to ENs, ISO/IEC standards, notably to prevent the risk of non-acceptance._
_**Legal acts can never be used as normative references.**_
_It is recommended that the number of references be limited to the minimum needed for the implementation/application of the ETSI Deliverables. References not directly concerned with the implementation/application/understanding of the ETSI Deliverable shall be listed in the Bibliography annex._
_References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies._
_Referenced documents which are not found to be publicly available in the expected location might be found in the [ETSI docbox](https://docbox.etsi.org/Reference/)._
> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.
The following referenced documents are necessary for the application of the present document.
- <a name="_ref_1">[1]</a> <Standard Organization acronym> <document number> (<version number>): "<Title>".
## 2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or nonspecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.
> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.
- <a name="_ref_i.1">[i.1]</a> Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
- <a name="_ref_i.1">[i.2]</a> NIST SP 800-128 (2011) Guide for Security-Focused Configuration Management of Information Systems
- <a name="_ref_i.2">[i.x]</a> <Standard Organization acronym> <document number> (<version number>): "<Title>".
# 3 Definition of terms, symbols and abbreviations
## 3.1 Terms
The terms below are important for understanding the purpose and usage of browsers. For the purposes of the present document, the following terms apply:
| Term | Definition |
|------|------------|
| **Access** | The capability to retrieve, load, and display web content from servers through network protocols, including establishing connections, downloading resources, and rendering content for user consumption. |
| **Accessing Web Content** | The complete process by which browsers retrieve, process, and present web resources to end users, encompassing network communication, content parsing, rendering, and user interface presentation. |
| **Browser Extensions** | Software modules that augment browser functionality by adding features, modifying behavior, or enhancing user experience beyond the browser's core capabilities, typically installed and managed through the browser's extension system. |
| **Browsers** | Software products with digital elements that enable end users to access and interact with web content hosted on servers that are connected to local and remote networks. <br><br>*Note: Expert group definition - In the context of this category of products, browsers are software products with digital elements that enable end users to access and interact with web content hosted on servers that are connected to networks such as the Internet.* |
| **Certificate** | A digital document issued by a Certificate Authority that validates the identity of a website and enables encrypted HTTPS connections, verified by browsers through cryptographic signature validation and certificate chain trust evaluation to prevent man-in-the-middle attacks. |
| **Content Security Policy (CSP)** | A browser security mechanism that allows web applications to declare approved sources for executable scripts, styles, and other resources through HTTP headers or meta tags, mitigating cross-site scripting attacks by preventing execution of unauthorized code. |
| **Cross-Site Scripting (XSS)** | A security vulnerability that allows attackers to inject malicious scripts into trusted websites viewed by other users, potentially stealing credentials, session tokens, or sensitive data by executing attacker-controlled code in the victim's browser context. |
| **Custom Protocol** | Non-standard or application-specific communication protocols that browsers may support for specialized content access or functionality, extending beyond traditional web protocols like HTTP/HTTPS. |
| **Embedded Browsers** | Browsers that are intended for integration into another system or application. |
| **End Users** | Natural persons who utilize browsers to access web content for personal, professional, or other purposes, including but not limited to browsing, reading, viewing multimedia content, and interacting with web applications. |
| **Exploit** | A technique, code, or sequence of actions that takes advantage of a vulnerability to achieve unauthorized behavior, such as arbitrary code execution, privilege escalation, sandbox escape, or information disclosure. |
| **Extension API** | Programming interfaces exposed by browsers that enable extensions to access browser functionality, modify web content, intercept network requests, or integrate with browser features, subject to declared permissions and security policies. |
| **Interact** | The critical activity that defines browsing, encompassing user actions such as clicking hyperlinks, submitting forms, executing scripts, manipulating page elements, and engaging with dynamic web content through input devices. |
| **Man-in-the-Middle (MITM) Attack** | An attack where an adversary intercepts and potentially modifies network communication between a browser and server, often exploiting weak encryption, invalid certificates, or unencrypted HTTP connections to eavesdrop on or manipulate data transmission. |
| **Networks** | Communication infrastructures that enable data transmission between browsers and servers, encompassing local area networks (LANs), wide area networks (WANs), and the global Internet. |
| **Origin** | A fundamental security boundary defined by the combination of scheme (protocol), host (domain), and port of a URL, forming the basis for Same-Origin Policy enforcement and determining which web content can access shared resources, storage, and APIs. |
| **Permission** | A user-granted authorization that allows web content to access sensitive browser capabilities or device hardware (camera, microphone, location, notifications, etc.), managed through explicit user consent prompts and revocable through browser settings. |
| **Process Isolation** | The architectural pattern of separating browser components and web content into distinct operating system processes with independent memory spaces and restricted inter-process communication, containing the impact of security vulnerabilities and preventing cross-context data leakage. |
| **Progressive Web Applications** | Web-based applications that operate within the browser environment, leveraging advanced browser APIs and capabilities to provide enhanced functionality including offline operation, background synchronization, push notifications, and device hardware access, while remaining fundamentally dependent on the browser's runtime and security model for execution and user interaction. |
| **Raw Content** | Unprocessed source code and data formats delivered by servers, including but not limited to XML, JSON, JavaScript, HTML, CSS, and other markup or programming languages before browser interpretation. |
| **Renderer Process** | A sandboxed browser process responsible for parsing, executing, and displaying web content including HTML, CSS, and JavaScript, isolated from other content and the browser core to contain potential exploits within a restricted security boundary. |
| **Same-Origin Policy** | The core browser security model that restricts how documents and scripts from one origin can interact with resources from another origin, preventing malicious websites from reading sensitive data or performing unauthorized actions on behalf of users across different web applications. |
| **Sandbox** | An operating system-level security mechanism that restricts the capabilities and system access of browser processes, limiting damage from compromised web content by preventing unauthorized filesystem access, system call execution, or privilege escalation beyond defined boundaries. |
| **Servers** | Computer systems or software applications that store, process, and deliver web content to browsers via network protocols, responding to browser requests with appropriate resources and data. |
| **Standalone Browsers** | Standalone applications that fulfil the functions of browsers. |
| **Telemetry** | Automated collection and transmission of browser usage data, performance metrics, crash reports, and diagnostic information to browser manufacturers for product improvement, typically requiring user consent and subject to privacy controls and data minimization principles. |
| **Vulnerability** | A weakness or flaw in browser implementation that can be exploited by malicious actors to bypass security controls, execute arbitrary code, access unauthorized data, or compromise system integrity, typically addressed through security updates and patches. |
| **Web Content** | The displayed and rendered representation of raw content, transformed by browsers into human-perceivable formats including text, images, videos, interactive elements, and structured layouts as intended by content creators. |
| **WebView** | A platform-specific embedded browser component that enables applications to display web content within their user interface, providing a subset of full browser functionality while operating under the security context and lifecycle of the host application. Common implementations include Android WebView, iOS WKWebView, Windows WebView2, and cross-platform frameworks such as Electron, Tauri, and Chromium Embedded Framework (CEF). |
## 3.2 Symbols
For the purposes of the present document, the [following] symbols [given in ... and the following] apply:
[to be added]
# 4 Product Context
## 4.1 General
## 4.2 Out of scope use/environments
_List uses/environments covered by other legislation or standards (critical, industrial, medical, etc.). Hoping to have a reusable generic list of these soon._
The types of product with digital elements listed in the section do not fall within the scope of the Cyber Resilience Act <a name="_ref_i.1">[i.1]</a>, and are not covered by this standard:
1. Services, except for the remote data processing solutions for a covered product as defined in CRA recitals 11-12; article 3, 2 <a name="_ref_i.1">[i.1]</a>;
2. Products specifically designed or procured for national security and defence purpose as defined in CRA recitals 14 and 26; article 2, 7-8 <a name="_ref_i.1">[i.1]</a>;
3. Products developed for or used exclusively for internal use by public administration as defined in CRA recital 16; article 5, 2 <a name="_ref_i.1">[i.1]</a>;
4. Non-commercial free and open source software as defined in CRA recitals 17-21; article 13, 5 <a name="_ref_i.1">[i.1]</a>;
5. Medical Devices and Software as defined in CRA recital 25; article 2, 2 [a-b] <a name="_ref_i.1">[i.1]</a>;
6. Vehicles, including aviation and marine equipment as defined in CRA recital 27; article 2, 2.c "vehicles"; recital 27; article 2, 3 "aviation"; article 2, 4 "marine equipment" <a name="_ref_i.1">[i.1]</a>;
7. Spare and used parts as defined in CRA recital 29; article 2, 6 <a name="_ref_i.1">[i.1]</a>;
8. Refurbished, repaired, and upgraded products that have not been substantially modifiedas defined in recitals 39 - 42 <a name="_ref_i.1">[i.1]</a>;
The following types of products have reduced or varied requirements under the Cyber Resilience Act <a name="_ref_i.1">[i.1]</a> and can only be partially covered by this standard.
1. High Risk AI as defined in CRA recital 51; article 12 <a name="_ref_i.1">[i.1]</a>;
2. Testing and unfinished versions as defined in recital 37; Article 4, 2-3 <a name="_ref_i.1">[i.1]</a>;
3. Products Placed on the Market Prior to December 11, 2027 as defined in CRA article 69 <a name="_ref_i.1">[i.1]</a>.
## 4.3 In-Scope Components
### 4.3.1 In-Scope components standalone browser
For the purposes of this standard, a standalone browser consists of the following in-scope security-relevant components:
**Core Browser Components**:
1. **Rendering Engine**: HTML parser, CSS engine, layout system, and DOM implementation responsible for processing and displaying web content.
2. **JavaScript Engine**: JavaScript runtime, JIT compiler, garbage collector, and execution context management providing the environment for web application code execution.
3. **Network Stack**: HTTP/HTTPS client implementation, certificate validation, connection management, caching subsystem, and protocol handlers (WebSocket, WebRTC, etc.).
4. **Process Architecture**: Multi-process isolation model including browser process, renderer processes, GPU process, network process, and inter-process communication (IPC) mechanisms.
5. **Storage Subsystem**: Cookie management, localStorage, sessionStorage, IndexedDB, Cache API, origin-partitioned storage, and persistent storage quota management.
6. **Permission System**: Runtime permission prompts, permission state management, permission policy enforcement, and user consent UI for sensitive capabilities (camera, microphone, location, notifications, etc.).
7. **Sandbox Implementation**: Operating system-level process sandboxing, seccomp/AppContainer restrictions, filesystem access controls, and system call filtering.
8. **Security Policy Engines**: Same-Origin Policy enforcement, Cross-Origin Resource Sharing (CORS) validation, Content Security Policy (CSP) parser and enforcer, and Mixed Content blocking.
**Extension System Components** (if present):
9. **Extension Runtime**: Extension process management, manifest validation, permission enforcement for extension APIs, and content script injection mechanism.
10. **Extension API Layer**: Browser APIs exposed to extensions (webRequest, tabs, storage, etc.), permission-based access controls, and extension-to-browser IPC.
**Update and Maintenance Components**:
11. **Update System**: Automatic update mechanism, update signature verification, update rollback capability, and background update process.
12. **Diagnostic and Telemetry**: Crash reporting, error logging, usage metrics collection (where implemented with user consent), and debug logging infrastructure.
**User Interface Components**:
13. **Security Indicators**: HTTPS lock icon, certificate viewer, permission indicators, malicious site warnings, and phishing/malware protection UI.
14. **User Consent UI**: Permission prompts, download confirmations, external protocol handler registration prompts, and security warnings.
**Certificate and Trust Components**:
15. **Certificate Management**: Root certificate store, certificate validation logic, OCSP/CRL checking, Certificate Transparency verification, and certificate pinning.
16. **Trust Decisions**: Safe Browsing integration, malicious site detection, phishing protection, download scanning integration, and security warnings.
**Out-of-Scope Components**:
The following components are explicitly excluded from the security requirements of this standard:
- Third-party websites and web applications accessed through the browser
- Server-side infrastructure operated by the browser manufacturer (sync services, account systems) except where they deliver security-critical updates
- Operating system components and system libraries not distributed as part of the browser package
- Third-party extensions and plugins developed outside the browser manufacturer's control
- User-generated bookmarks, preferences, and configuration data
- Remote attestation or DRM modules that operate under separate security models
- Mini-apps executed within super-app platforms (as defined in W3C Mini-App White Paper): Individual mini-apps are separate products with digital elements that inherit their browser security properties from the super-app platform. The security of the super-app platform itself is in scope (UC-B12), but the individual mini-apps hosted within such platforms are out of scope for this standard as their security is derivative of the hosting platform's capabilities.
### 4.3.2 In-Scope components embedded browser
For the purposes of this standard, an embedded browser (WebView component or integrated browser engine) consists of the following in-scope security-relevant components in addition to or as variations of the standalone browser components listed in [4.3.1](#431-in-scope-components-standalone-browser):
**Embedded Browser Core Components**: