WARNING! Gitlab maintenance operation scheduled for Thursday, 18 June between 19:00 and 20:00 (CET). During this time window, short service interruptions (less than 5 minutes) may occur. Thank you in advance for your understanding.
@@ -145,6 +145,14 @@ For the purposes of the present document, the terms given in Regulation (EU) 202
<mark>Editor's Note: Proposal to put together a common term sheet for all verticals developed in CYBER-EUSR.</mark>
**browser profiles**
: private browsing sessions, temporary guest profiles or user managed profiles that may be used for separating principals or use-cases
**public suffix list**
: list of eTLDs, where the url suffix may be shared by independent tenants
**third-party cookies**
: cookies not keyed to a site other than the top-level site
## 3.2 Symbols
@@ -168,6 +176,7 @@ For the purposes of the present document, the [following] abbreviations [given i
`CRA Cyber Resilience Act`
`CVE Common Vulnerabilities and Exposures`
`DB Database`
`eTLD Effective Top-level Domain`
`EDR Endpoint Detection and Response`
`DHCP Dynamic Host Configuration Protocol`
`GDPR General Data Protection Regulation`
@@ -417,6 +426,10 @@ Applicability: Web browsers which maintain their own root store, rather than usi
**[REQ-EXT-SU-1]**: The product shall support automatic updates of extensions, and before installing an update shall cryptographically verify the update.
**[REQ-STORE-SU-1]** The product shall maintain the validity of data stored to disk across updates.
**[REQ-STORE-SU-2]** The product shall update the Public Suffix List regularly.
## 5.5 Authentication and access control
Proposed ESR code: AAC
@@ -437,6 +450,15 @@ Example: Permissions divided such that an extension can request and access the m
**[REQ-EXT-AAC-6]**: The product shall ensure isolation between the execution and data contexts of different extensions.
**[REQ-STORE-ACC-1]** The product shall store data and enforce access according to the Same-Origin-Policy.
**[REQ-STORE-ACC-2]** For non-cookie data, the product shall only expose data to a given origin that was either (i) stored while visiting that origin, or (ii) with user interaction to indicate intent to provide information (eg form autofill).
**[REQ-STORE-ACC-3]** The product shall enforce Same-Origin-Policy access control for storage data outside rendering processes.
**[REQ-STORE-ACC-4]** The product shall not share or make data available across browser profiles.
## 5.6 Confidentiality
Proposed ESR code: CON
@@ -463,6 +485,14 @@ Example: Implementation of HSTS [i.8], active mixed content blocking [i.9], and
**[REQ-EXT-CON-1]**: The product shall prevent secrets stored by extensions from being read by other extensions or by web content.
[REQ-STORE-CON-1] The product shall not send third-party cookies by default. They may be supported consistent with the `Partitioned` attribute.
NOTE: The product can provide users the ability to share third-party cookies, whether on a case-by-case basis through interaction as in Storage Access API or throughout their browser profile through configuration.
[REQ-STORE-CON-2] The product shall make use of OS access control, encryption methods or other mechanisms to ensure confidentiality of disk-stored data.
[REQ-STORE-CON-3] The product shall store browser cache data such that they are keyed to both top-level site and resource.
## 5.7 Integrity
Proposed ESR code: INT
@@ -490,6 +520,10 @@ This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 P
**[REQ-EXT-AP-1]**: The product shall make the best effort to prevent the ability of an extension to make the product unavailable.
**[REQ-STORE-AVA-1]** The product shall make use of data stored to disk for state recovery in case of a crash.
Applicability: Where the product and browser profile use storage persisted to disk.
## 5.10 Impact Minimisation
Proposed ESR code: IM
@@ -537,6 +571,8 @@ This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 P
**[REQ-EXT-LOG-1]**: The product shall provide the user the ability to identify running extensions, and to observe their activity.
**[REQ-STORE-LOG-1]** The product shall provide an interface for viewing stored data at a granularity of site or narrower (e.g., origin)
## 5.14 Data Removal and Transparency
Proposed ESR code: DRT
@@ -548,6 +584,12 @@ Applicability: Web browsers which allow changing TLS-related settings.
**[REQ-EXT-DRT-1]**: The product shall enable the removal of individual extensions, which shall delete all data associated with the extension, and revoke all permissions granted to it.
**[REQ-STORE-DRT-1]** The product shall ensure when storage data is deleted, it uses the OS data and memory management interfaces to remove the data*, and verify that it is no longer accessible*.
**[REQ-STORE-DRT-2]** The product shall provide reset functionality that removes all stored data across all sites and browser profiles.
**[REQ-STORE-DRT-3]** The product shall have an interface for deleting storage at a granularity of site or narrower (e.g., origin)
## 5.15 Vulnerability Handling
This clause addresses the requirements in the CRA [\[i.1\]](#_ref_i.1) Annex 1 Part 2.
