@@ -244,93 +244,141 @@ When applying the requirements of this standard to derivative browsers, manufact
Derivative browsers represent a practical and economically significant category of products within the browser market. This standard recognizes that reliance on well-maintained upstream security implementations is a valid engineering approach, while maintaining that manufacturers placing derivative products on the market retain full responsibility for the security properties of the products they distribute.
Derivative browsers represent a practical and economically significant category of products within the browser market. This standard recognizes that reliance on well-maintained upstream security implementations is a valid engineering approach, while maintaining that manufacturers placing derivative products on the market retain full responsibility for the security properties of the products they distribute.
# 2 References
### 1.2.6 State of the Art: Industry Testing and Security Practices
## 2.1 Normative references
The state of the art for browser development and security validation encompasses organizational practices, industry standards, and comprehensive testing regimes that manufacturers should demonstrate to establish the quality and security of their browser implementations, whether original or derivative.
_**In Harmonised Standards these references shall be specific** (identified by date of publication and/or edition number or version number) **publicly available and in English, except in exceptional circumstances making sure that impacts have been evaluated and explanations have been given on how any negative implications should be avoided** . See clauses 2.10.1 and 8.4 of the [EDRs](EDRs) and the communiqué on "[References in ETSI Deliverables](https://portal.etsi.org/Portals/0/TBpages/edithelp/Docs/News_from_editHelp/References_in_ETSI_deliverables.pdf)"._
**Organizational Practices and Resources**:
_Guidance for selecting normative references in harmonised standards is given in clause 2.8.3 of the Vademecum on European standardisation. Please **systematically consult with your Technical Officer** for the latest guidance on normative references other than to ENs, ISO/IEC standards, notably to prevent the risk of non-acceptance._
Reputable browser manufacturers, both upstream projects and derivative product vendors, demonstrate their commitment to security through:
_**Legal acts can never be used as normative references.**_
- **Adequate staffing**: Employment of sufficient numbers of developers and security personnel with expertise in browser architecture, web standards, cryptography, and vulnerability research
- **Security-focused development**: Dedicated security teams, secure development lifecycle practices, code review processes, and security architecture oversight
- **Transparency and communication**: Public disclosure of security policies, vulnerability handling procedures, and regular security bulletins
- **User commitment**: Published statements of commitment to user security and privacy, including privacy policies, data handling practices, and user control mechanisms
- **Update cadence**: Regular release schedules for security updates and patches, with clear timelines for critical vulnerability remediation
_It is recommended that the number of references be limited to the minimum needed for the implementation/application of the ETSI Deliverables. References not directly concerned with the implementation/application/understanding of the ETSI Deliverable shall be listed in the Bibliography annex._
**Industry Standards Compliance**:
_References are either specific (identified by date of publication and/or edition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies._
Browsers are expected to comply with applicable industry standards including but not limited to:
_Referenced documents which are not found to be publicly available in the expected location might be found in the [ETSI docbox](https://docbox.etsi.org/Reference/)._
- **Web Platform Tests (WPT)**: Comprehensive cross-browser test suite maintained by W3C and browser vendors, with public dashboard available at https://wpt.fyi/ showing conformance across implementations
- **Test262**: Official ECMAScript conformance test suite maintained by Ecma TC39, verifying JavaScript/ECMAScript specification compliance
- **W3C Test Suites**: Individual test suites for specific W3C specifications (CSS Working Group tests, HTML5 tests, etc.)
- **Acid Tests**: Historical but influential browser standards compliance tests (Acid1, Acid2, Acid3) developed by the Web Standards Project
References are either specific (identified by date of publication and/or edition number or version number) or nonspecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.
**Functional and Compatibility Testing**:
> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.
- **Selenium**: Open-source testing framework for browser automation, widely used for functional testing and regression testing across browsers
- **BrowserStack**: Cloud-based cross-browser testing platform enabling compatibility verification across browser versions, operating systems, and devices
- **Playwright/Puppeteer**: Modern browser automation and testing frameworks providing programmatic control for automated testing
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.
**Security-Specific Testing and Validation**:
- <a name="_ref_i.1">[i.1]</a> Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
- **CA/Browser Forum participation**: Engagement with the CA/Browser Forum (https://cabforum.org/working-groups/server/charter/) which establishes baseline requirements for certificate authorities and browser trust store policies
- **TLS/Certificate validation testing**: Testing against standard certificate validation scenarios, revocation checking, and TLS protocol compliance
- **Vulnerability disclosure programs**: Participation in responsible disclosure programs, bug bounty programs, and coordinated vulnerability disclosure processes
- **Penetration testing**: Regular security assessments by internal security teams or external security researchers
- <a name="_ref_i.1">[i.2]</a> NIST SP 800-128 (2011) Guide for Security-Focused Configuration Management of Information Systems
- **Ecma International**: Participation in ECMAScript (JavaScript) standardization through TC39
- **CA/Browser Forum**: Involvement in establishing requirements for certificate authorities and browser root programs
- **FIDO Alliance**: Participation in authentication standards development (WebAuthn, FIDO2)
## 3.1 Terms
**Implications for Derivative Browsers**:
Derivative browser manufacturers should demonstrate:
For the purposes of the present document, the [following] terms [given in ... and the following] apply:
1. **Upstream testing inheritance**: Evidence that the upstream project undergoes comprehensive testing via WPT, Test262, and other industry-standard test suites, with results publicly available
2. **Modification testing**: Testing of manufacturer-specific modifications using appropriate test frameworks to ensure modifications do not introduce regressions or security vulnerabilities
3. **Integration testing**: Validation that the integration of upstream components with manufacturer additions maintains standards compliance and security properties
4. **Security review process**: Documentation of security review procedures for modifications, including code review, security testing, and vulnerability assessment
5. **Update testing**: Verification that upstream updates are tested before distribution to ensure compatibility with manufacturer modifications
/// THIS IS THE DEFINITION MADE BY THE EXPERT GROUP DO NOT EDIT
Manufacturers may demonstrate compliance with industry testing practices by referencing:
Browsers: In the context of this category of products, browsers are software products with digital elements that enable end users to access and interact with web content hosted on servers that are connected to networks such as the Internet.
- Publicly available test results on wpt.fyi or similar dashboards
///
- Participation in open-source testing efforts
- Documentation of testing methodologies and results
- Third-party security assessments or certifications
- Membership in relevant standards bodies and working groups
Browsers: In the context of this category of products, browsers are software products with digital elements that enable end users to access and interact with web content hosted on servers that are connected to local and remote networks.
The state of the art represents a comprehensive approach to browser quality and security, combining organizational commitment, standards compliance, extensive automated testing, security-focused practices, and community engagement. Derivative browser manufacturers should demonstrate that their products meet or exceed these industry norms, either through inheritance from well-maintained upstream projects or through their own testing and validation processes.
Embedded Browsers: Embedded browsers are browsers that are intended for integration into another system or application.
# 2 References
Standalone Browsers: Standalone browsers are standalone applications that fulfil the functions of browsers.
## 2.1 Normative references
End Users: Natural persons who utilize browsers to access web content for personal, professional, or other purposes, including but not limited to browsing, reading, viewing multimedia content, and interacting with web applications.
_**In Harmonised Standards these references shall be specific** (identified by date of publication and/or edition number or version number) **publicly available and in English, except in exceptional circumstances making sure that impacts have been evaluated and explanations have been given on how any negative implications should be avoided** . See clauses 2.10.1 and 8.4 of the [EDRs](EDRs) and the communiqué on "[References in ETSI Deliverables](https://portal.etsi.org/Portals/0/TBpages/edithelp/Docs/News_from_editHelp/References_in_ETSI_deliverables.pdf)"._
Access: The capability to retrieve, load, and display web content from servers through network protocols, including establishing connections, downloading resources, and rendering content for user consumption.
_Guidance for selecting normative references in harmonised standards is given in clause 2.8.3 of the Vademecum on European standardisation. Please **systematically consult with your Technical Officer** for the latest guidance on normative references other than to ENs, ISO/IEC standards, notably to prevent the risk of non-acceptance._
Interact: The critical activity that defines browsing, encompassing user actions such as clicking hyperlinks, submitting forms, executing scripts, manipulating page elements, and engaging with dynamic web content through input devices.
_**Legal acts can never be used as normative references.**_
Raw Content: Unprocessed source code and data formats delivered by servers, including but not limited to XML, JSON, JavaScript, HTML, CSS, and other markup or programming languages before browser interpretation.
_It is recommended that the number of references be limited to the minimum needed for the implementation/application of the ETSI Deliverables. References not directly concerned with the implementation/application/understanding of the ETSI Deliverable shall be listed in the Bibliography annex._
Web Content: The displayed and rendered representation of raw content, transformed by browsers into human-perceivable formats including text, images, videos, interactive elements, and structured layouts as intended by content creators.
_References are either specific (identified by date of publication and/oredition number or version number) or non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies._
Servers: Computer systems or software applications that store, process, and deliver web content to browsers via network protocols, responding to browser requests with appropriate resources and data.
_Referenced documents which are not found to be publicly available in the expected location might be found in the [ETSI docbox](https://docbox.etsi.org/Reference/)._
Networks: Communication infrastructures that enable data transmission between browsers and servers, encompassing local area networks (LANs), wide area networks (WANs), and the global Internet.
> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.
Browser Extensions: Software modules that augment browser functionality by adding features, modifying behavior, or enhancing user experience beyond the browser's core capabilities, typically installed and managed through the browser's extension system.
The following referenced documents are necessary for the application of the present document.
Progressive Web Applications: Web-based applications that operate within the browser environment, leveraging advanced browser APIs and capabilities to provide enhanced functionality including offline operation, background synchronization, push notifications, and device hardware access, while remaining fundamentally dependent on the browser's runtime and security model for execution and user interaction.
Custom Protocol: Non-standard or application-specific communication protocols that browsers may support for specialized content access or functionality, extending beyond traditional web protocols like HTTP/HTTPS.
## 2.2 Informative references
Accessing Webcontent: The complete process by which browsers retrieve, process, and present web resources to end users, encompassing network communication, content parsing, rendering, and user interface presentation.
References are either specific (identified by date of publication and/or edition number or version number) or nonspecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.
Secondary fFnctionalities: Supplementary browser capabilities that support the primary browsing function, including but not limited to managing software updates, executing installation scripts, validating security certificates, and maintaining browser performance and security.
> NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee their long-term validity.
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's understanding but are not required for conformance to the present document.
Likelihood: The probability or frequency of a threat event occurring within the browserecosystem, quantified through analysis of threat intelligence, historical incident data, and environmental factors affecting browser security.
- <a name="_ref_i.1">[i.1]</a> Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act).
Impact: The potential magnitude of harm resulting from the materialization of a threat event, measured in terms of data confidentiality breach, system availability loss, user privacy violation, or broader systemic consequences.
- <a name="_ref_i.1">[i.2]</a> NIST SP 800-128 (2011) Guide for Security-Focused Configuration Management of Information Systems
Intended purpose: The fundamental objective of enabling end users to retrieve, view, and interact with web content across networks, encompassing activities such as information retrieval, communication, commerce, entertainment, and web application usage, as designed and implemented by browser manufacturers to serve as the primary interface between users and the internet
Operational environment: The diverse technical and physical contexts in which browsers operate, including consumer devices (desktops, laptops, tablets, smartphones), enterprise systems, embedded systems, kiosks, smart TVs, gaming consoles, and specialized computing environments with varying network conditions, hardware capabilities, and security requirements.
# 3 Definition of terms, symbols and abbreviations
Categories of users: The distinct groups of individuals who utilize browsers, ranging from general consumers for personal browsing, enterprise users within corporate environments, developers and technical professionals, educational users, accessibility-dependent users, and specialized operators in industrial or governmental contexts, each with unique requirements and usage patterns.
## 3.1 Terms
Reasonably foreseeable use: Usage patterns and applications of browsers that, while potentially beyond stated intended purposes, can be anticipated by manufacturers based on user behavior, market trends, and technical capabilities of the product.
The terms below are important for understanding the purpose and usage of browsers. For the purposes of the present document, the following terms apply:
| Term | Definition |
|------|------------|
| **Access** | The capability to retrieve, load, and display web content from servers through network protocols, including establishing connections, downloading resources, and rendering content for user consumption. |
| **Accessing Web Content** | The complete process by which browsers retrieve, process, and present web resources to end users, encompassing network communication, content parsing, rendering, and user interface presentation. |
| **Browser Extensions** | Software modules that augment browser functionality by adding features, modifying behavior, or enhancing user experience beyond the browser's core capabilities, typically installed and managed through the browser's extension system. |
| **Browsers** | Software products with digital elements that enable end users to access and interact with web content hosted on servers that are connected to local and remote networks. <br><br>*Note: Expert group definition - In the context of this category of products, browsers are software products with digital elements that enable end users to access and interact with web content hosted on servers that are connected to networks such as the Internet.* |
| **Custom Protocol** | Non-standard or application-specific communication protocols that browsers may support for specialized content access or functionality, extending beyond traditional web protocols like HTTP/HTTPS. |
| **Embedded Browsers** | Browsers that are intended for integration into another system or application. |
| **End Users** | Natural persons who utilize browsers to access web content for personal, professional, or other purposes, including but not limited to browsing, reading, viewing multimedia content, and interacting with web applications. |
| **Interact** | The critical activity that defines browsing, encompassing user actions such as clicking hyperlinks, submitting forms, executing scripts, manipulating page elements, and engaging with dynamic web content through input devices. |
| **Networks** | Communication infrastructures that enable data transmission between browsers and servers, encompassing local area networks (LANs), wide area networks (WANs), and the global Internet. |
| **Progressive Web Applications** | Web-based applications that operate within the browser environment, leveraging advanced browser APIs and capabilities to provide enhanced functionality including offline operation, background synchronization, push notifications, and device hardware access, while remaining fundamentally dependent on the browser's runtime and security model for execution and user interaction. |
| **Raw Content** | Unprocessed source code and data formats delivered by servers, including but not limited to XML, JSON, JavaScript, HTML, CSS, and other markup or programming languages before browser interpretation. |
| **Servers** | Computer systems or software applications that store, process, and deliver web content to browsers via network protocols, responding to browser requests with appropriate resources and data. |
| **Standalone Browsers** | Standalone applications that fulfil the functions of browsers. |
| **Web Content** | The displayed and rendered representation of raw content, transformed by browsers into human-perceivable formats including text, images, videos, interactive elements, and structured layouts as intended by content creators. |
