reverted changes to headings and numbering

<mark>Editor's Note: This clause is not normative.</mark>

## 4.0 Introduction

## 4.1 Intended Purpose

The intended purpose of a web browser is to access, retrieve, and render web-based resources on behalf of an end user and display them via a Graphical User Interface. This includes everything from reading the news and online encyclopedias to accessing critical systems related to finance, government, healthcare, etc.

The breadth of reasonably forseeable uses for all web browsers implies that there are many risks in common across use cases.

### 4.1 Product Functions

### 4.1.1 Essential Functions

To access websites and make them available to users, web browsers need components to handle the following:

## 4.3 Operational Environment

### 4.3.1 General description

Web browser serve as a medium for interaction between a system and the web, retrieving web resources and executing them client-side. Because of this, the operational environment in which they operate assumes that the resources they handle are inherently untrusted.

### 4.3.2 Security Functions

### 4.3.1 Security Functions

Regardless of use cases, vendor-specific implementations, and browser architecture specifics, all products with digital elements classified as web browsers that fall within the scope of the present document should provide the security functions laid out in this section.

The security functions of a web browser include:

- **TLS enforcement.** A security function that enforces support for current TLS versions as defined by IETF RFC 8446 [\[i.7\]](#_ref_i.7) and successor standards, and the rejection of connections which use protocol versions identified as deprecated in IETF standards track RFCs, including RFC 8996 [\[i.16\]](#_ref_i.16) and successor standards.

- **Certificate validation.** A security function that includes validation of certificate chains, including certificate path as defined in IETF RFC 5280 [\[i.17\]](#_ref_i.17), and enforces Certificate Transparency as defined in IETF RFC 6962 [\[i.18\]](#_ref_i.18).

### 4.3.3 Distribution of Security Functions

### 4.3.2 Distribution of Security Functions

The aforementioned security functions inform the product-specific security requirements laid out in Clause 5.

- **Provide it itself.** In this case, the security function is provided as a native component within the web browser’s codebase.

- **Require that it be provided by other parts of its context.** In this case, the browser delegates the provision of security functions to other components within its execution environment.

#### Security functions provided outside the product's context

### 4.3.3 Security functions provided outside the product's context

Across web browsers and operating systems, different choices are made in different contexts about what is provided by the web browser and what is implemented in the surrounding operating system and system libraries, with security functions performed at those other levels. These may include for example:

In such cases, when functionality is implemented outside of the browser in such system libraries or operating systems, the responsibility for handling the risk is transferred to this library, following a risk assessment by the browser which integrates the OS/library that this is reasonable.

#### Security functions provided to other components

### 4.3.4 Security functions provided to other components

Web browsers provide a secure, trustworthy environment to render websites, which may be used as part of other products.