v0.0.4

# Executive summary

Browsers represent one of the most complex and security-critical software products in modern computing, serving as the primary gateway between users and internet resources while processing untrusted content from millions of sources daily. The browser's architecture encompasses multiple interconnected subsystems—including rendering engines, JavaScript/WebAssembly execution environments, network stacks, and extension frameworks, each presenting distinct attack surfaces that shall be defended while maintaining performance, compatibility with legacy web content, and user autonomy.

Browsers represent one of the most complex and security-critical software products in modern computing, serving as the primary gateway between users and internet resources while processing untrusted content from millions of sources daily. The browser's architecture encompasses multiple interconnected subsystems - including rendering engines, JavaScript/WebAssembly execution environments, network stacks, and extension frameworks, each presenting distinct attack surfaces that shall be defended while maintaining performance, compatibility with legacy web content, and user autonomy.

Unlike traditional security products that can enforce restrictive controls, browsers shall balance protection against an evolving threat landscape with respect for user choice, creating unique challenges where users may deliberately choose to visit malicious sites, install risky extensions, or disable security features. The browser's multi-layered trust model, spanning from the highly privileged browser core through semi-trusted extensions to completely untrusted web content, requires sophisticated isolation mechanisms, granular permission systems, and careful mediation of system resource access. 

Open source browser projects such as Chromium, Gecko (Firefox), and WebKit provide complete or near-complete browser implementations that serve as the foundation for derivative products. These upstream projects are stewarded by organizations that maintain the core rendering engines, JavaScript execution environments, network stacks, and security architectures, but the projects themselves do not constitute products placed on the EU market with CE marking.

When an economic operator takes such an open source project, applies modifications (whether substantial or minor), and places the resulting browser on the market under their own brand or distribution channel, that operator becomes a manufacturer under the Cyber Resilience Act <a name="_ref_i.1">[i.1]</a>. This classification applies regardless of the extent of modification—from minor branding and default configuration changes to substantial feature additions, custom user interfaces, or integration of proprietary services.

When an economic operator takes such an open source project, applies modifications (whether substantial or minor), and places the resulting browser on the market under their own brand or distribution channel, that operator becomes a manufacturer under the Cyber Resilience Act <a name="_ref_i.1">[i.1]</a>. This classification applies regardless of the extent of modification - from minor branding and default configuration changes to substantial feature additions, custom user interfaces, or integration of proprietary services.

### 1.2.2 Spectrum of Derivative Modifications

5. **Update testing**: Verification that upstream updates are tested before distribution to ensure compatibility with manufacturer modifications

Manufacturers may demonstrate compliance with industry testing practices by referencing:

- Publicly available test results on wpt.fyi or similar dashboards

- Participation in open-source testing efforts

- Documentation of testing methodologies and results

| **Accessing Web Content** | The complete process by which browsers retrieve, process, and present web resources to end users, encompassing network communication, content parsing, rendering, and user interface presentation. |

| **Browser Extensions** | Software modules that augment browser functionality by adding features, modifying behavior, or enhancing user experience beyond the browser's core capabilities, typically installed and managed through the browser's extension system. |

| **Browsers** | Software products with digital elements that enable end users to access and interact with web content hosted on servers that are connected to local and remote networks. <br><br>*Note: Expert group definition - In the context of this category of products, browsers are software products with digital elements that enable end users to access and interact with web content hosted on servers that are connected to networks such as the Internet.* |

| **Certificate** | A digital document issued by a Certificate Authority that validates the identity of a website and enables encrypted HTTPS connections, verified by browsers through cryptographic signature validation and certificate chain trust evaluation to prevent man-in-the-middle attacks. |

| **Content Security Policy (CSP)** | A browser security mechanism that allows web applications to declare approved sources for executable scripts, styles, and other resources through HTTP headers or meta tags, mitigating cross-site scripting attacks by preventing execution of unauthorized code. |

| **Cross-Site Scripting (XSS)** | A security vulnerability that allows attackers to inject malicious scripts into trusted websites viewed by other users, potentially stealing credentials, session tokens, or sensitive data by executing attacker-controlled code in the victim's browser context. |

| **Custom Protocol** | Non-standard or application-specific communication protocols that browsers may support for specialized content access or functionality, extending beyond traditional web protocols like HTTP/HTTPS. |

| **Embedded Browsers** | Browsers that are intended for integration into another system or application. |

| **End Users** | Natural persons who utilize browsers to access web content for personal, professional, or other purposes, including but not limited to browsing, reading, viewing multimedia content, and interacting with web applications. |

| **Exploit** | A technique, code, or sequence of actions that takes advantage of a vulnerability to achieve unauthorized behavior, such as arbitrary code execution, privilege escalation, sandbox escape, or information disclosure. |

| **Extension API** | Programming interfaces exposed by browsers that enable extensions to access browser functionality, modify web content, intercept network requests, or integrate with browser features, subject to declared permissions and security policies. |

| **Interact** | The critical activity that defines browsing, encompassing user actions such as clicking hyperlinks, submitting forms, executing scripts, manipulating page elements, and engaging with dynamic web content through input devices. |

| **Man-in-the-Middle (MITM) Attack** | An attack where an adversary intercepts and potentially modifies network communication between a browser and server, often exploiting weak encryption, invalid certificates, or unencrypted HTTP connections to eavesdrop on or manipulate data transmission. |

| **Networks** | Communication infrastructures that enable data transmission between browsers and servers, encompassing local area networks (LANs), wide area networks (WANs), and the global Internet. |

| **Origin** | A fundamental security boundary defined by the combination of scheme (protocol), host (domain), and port of a URL, forming the basis for Same-Origin Policy enforcement and determining which web content can access shared resources, storage, and APIs. |

| **Permission** | A user-granted authorization that allows web content to access sensitive browser capabilities or device hardware (camera, microphone, location, notifications, etc.), managed through explicit user consent prompts and revocable through browser settings. |

| **Process Isolation** | The architectural pattern of separating browser components and web content into distinct operating system processes with independent memory spaces and restricted inter-process communication, containing the impact of security vulnerabilities and preventing cross-context data leakage. |

| **Progressive Web Applications** | Web-based applications that operate within the browser environment, leveraging advanced browser APIs and capabilities to provide enhanced functionality including offline operation, background synchronization, push notifications, and device hardware access, while remaining fundamentally dependent on the browser's runtime and security model for execution and user interaction. |

| **Raw Content** | Unprocessed source code and data formats delivered by servers, including but not limited to XML, JSON, JavaScript, HTML, CSS, and other markup or programming languages before browser interpretation. |

| **Renderer Process** | A sandboxed browser process responsible for parsing, executing, and displaying web content including HTML, CSS, and JavaScript, isolated from other content and the browser core to contain potential exploits within a restricted security boundary. |

| **Same-Origin Policy** | The core browser security model that restricts how documents and scripts from one origin can interact with resources from another origin, preventing malicious websites from reading sensitive data or performing unauthorized actions on behalf of users across different web applications. |

| **Sandbox** | An operating system-level security mechanism that restricts the capabilities and system access of browser processes, limiting damage from compromised web content by preventing unauthorized filesystem access, system call execution, or privilege escalation beyond defined boundaries. |

| **Servers** | Computer systems or software applications that store, process, and deliver web content to browsers via network protocols, responding to browser requests with appropriate resources and data. |

| **Standalone Browsers** | Standalone applications that fulfil the functions of browsers. |

| **Telemetry** | Automated collection and transmission of browser usage data, performance metrics, crash reports, and diagnostic information to browser manufacturers for product improvement, typically requiring user consent and subject to privacy controls and data minimization principles. |

| **Vulnerability** | A weakness or flaw in browser implementation that can be exploited by malicious actors to bypass security controls, execute arbitrary code, access unauthorized data, or compromise system integrity, typically addressed through security updates and patches. |

| **Web Content** | The displayed and rendered representation of raw content, transformed by browsers into human-perceivable formats including text, images, videos, interactive elements, and structured layouts as intended by content creators. |

| **WebView** | A platform-specific embedded browser component that enables applications to display web content within their user interface, providing a subset of full browser functionality while operating under the security context and lifecycle of the host application. Common implementations include Android WebView, iOS WKWebView, Windows WebView2, and cross-platform frameworks such as Electron and Chromium Embedded Framework (CEF). |

| **WebView** | A platform-specific embedded browser component that enables applications to display web content within their user interface, providing a subset of full browser functionality while operating under the security context and lifecycle of the host application. Common implementations include Android WebView, iOS WKWebView, Windows WebView2, and cross-platform frameworks such as Electron, Tauri, and Chromium Embedded Framework (CEF). |

## 3.2 Symbols

2. Load web content from multiple origins (https://example.com, https://test.com)

3. Verify that third-party integrations cannot access cross-origin DOM without proper permissions

4. Test that third-party code cannot read localStorage or cookies from other origins

5. Verify that integrations requiring cross-origin access must declare explicit permissions

5. Verify that integrations requiring cross-origin access declare explicit permissions

6. Test that integration-provided APIs are subject to CORS when accessed cross-origin

7. Verify that third-party integrations run in appropriately isolated processes

8. Test that integration code injected into pages respects Content Security Policy

6. Verify that command-line flags cannot bypass store restriction

7. Test that enterprise policies cannot enable sideloading in EXT-1 mode

8. Verify that users are informed why sideloading is disabled

9. Test that extension update URLs must point to official store

9. Test that extension update URLs point to official store

10. Verify that self-hosted extension updates are rejected

11. Check that browser UI provides clear guidance for installing extensions

12. Confirm that all installed extensions show official store provenance

**Given**: A conformant browser with ENC-0 capability (full encryption with HSM support)

**Task**: Verify that the browser prohibits user override of certificate pinning failures to prevent users from being socially engineered into accepting fraudulent certificates, ensuring that pinning violations—which indicate active man-in-the-middle attacks or certificate misissuance—are treated as hard failures that cannot be bypassed, protecting high-security environments where certificate pinning is a critical defense against targeted attacks on specific domains.

**Task**: Verify that the browser prohibits user override of certificate pinning failures to prevent users from being socially engineered into accepting fraudulent certificates, ensuring that pinning violations - which indicate active man-in-the-middle attacks or certificate misissuance - are treated as hard failures that cannot be bypassed, protecting high-security environments where certificate pinning is a critical defense against targeted attacks on specific domains.

**Verification**:

**Given**: A conformant browser with LOG-1 or higher capability

**Task**: Verify that explicit user consent for telemetry protects user privacy rights and complies with data protection regulations including GDPR and CPRA. Without proper consent mechanisms, browsers may violate privacy laws by collecting personal data without permission, and users are deprived of control over their information. Consent must be freely given, specific, informed, and revocable to meet legal and ethical standards.

**Task**: Verify that explicit user consent for telemetry protects user privacy rights and complies with data protection regulations including GDPR and CPRA. Without proper consent mechanisms, browsers may violate privacy laws by collecting personal data without permission, and users are deprived of control over their information. Consent shall be freely given, specific, informed, and revocable to meet legal and ethical standards.

**Verification**:

   - Modify settings

5. Verify that no log files are created or populated

6. Access browser settings to find logging configuration

7. Verify that logging must be explicitly enabled by user

7. Verify that logging is explicitly enabled by user

8. Test enabling logging through settings

9. Verify that opt-in requires clear user action (not pre-checked checkbox)

10. After enabling, verify that logs are created

   - Management indicator in settings

   - Policy explanation accessible to users

   - Contact information for IT department

9. Verify that policy can specify exactly what must be logged

9. Verify that policy can specify exactly what shall be logged

10. Test that policy enforcement persists across browser updates

11. Verify that policy changes propagate to managed browsers

12. Check that users can view what data is being collected even if they can't disable it

**Given**: A conformant browser with UPD-2 or higher capability

**Task**: Verify that component-level updates enable rapid patching of critical subsystems like JavaScript engines or rendering engines without waiting for full browser release cycles, reducing the window of exposure for component-specific vulnerabilities. Monolithic update systems delay security fixes because all components must be tested together, while independent component updates allow targeted, accelerated security patching for high-risk subsystems.

**Task**: Verify that component-level updates enable rapid patching of critical subsystems like JavaScript engines or rendering engines without waiting for full browser release cycles, reducing the window of exposure for component-specific vulnerabilities. Monolithic update systems delay security fixes because all components should be tested together, while independent component updates allow targeted, accelerated security patching for high-risk subsystems.

**Verification**:

**Given**: A conformant browser with UPD-1 or higher capability

**Task**: Verify that forced update mechanisms can override user preferences when actively exploited critical vulnerabilities require immediate patching, preventing scenarios where user inaction leaves browsers vulnerable to widespread attacks. This emergency response capability must be protected against abuse through cryptographic verification while ensuring that users running vulnerable versions are protected even if they attempt to defer updates.

**Task**: Verify that forced update mechanisms can override user preferences when actively exploited critical vulnerabilities require immediate patching, preventing scenarios where user inaction leaves browsers vulnerable to widespread attacks. This emergency response capability is to be protected against abuse through cryptographic verification while ensuring that users running vulnerable versions are protected even if they attempt to defer updates.

**Verification**:

**Given**: A conformant browser with UPD-1 capability (automatic with postponement)

**Task**: Verify that users can postpone non-critical updates for a limited time (maximum 7 days), providing flexibility for users to control update timing while ensuring that security patches are not delayed indefinitely, balancing user autonomy with security needs by enforcing reasonable time limits after which updates must be applied.

**Task**: Verify that users can postpone non-critical updates for a limited time (maximum 7 days), providing flexibility for users to control update timing while ensuring that security patches are not delayed indefinitely, balancing user autonomy with security needs by enforcing reasonable time limits after which updates shall be applied.

**Verification**:

   - No automatic installation during idle time

   - No installation on browser restart

   - No forced installation for critical updates

6. Test that user must explicitly:

6. Test that user should explicitly:

   - Manually check for updates

   - Manually trigger download

   - Manually initiate installation

**Given**: A conformant browser with PRO-1 or higher capability

**Task**: Verify that handler capability restrictions prevent privilege escalation where malicious handlers exploit protocol invocation to gain unauthorized access to APIs or bypass security policies. Handlers must operate within their origin's security context without inheriting privileges from the protocol scheme itself, preventing attackers from using custom protocols to circumvent same-origin policy or Content Security Policy restrictions.

**Task**: Verify that handler capability restrictions prevent privilege escalation where malicious handlers exploit protocol invocation to gain unauthorized access to APIs or bypass security policies. Handlers shall operate within their origin's security context without inheriting privileges from the protocol scheme itself, preventing attackers from using custom protocols to circumvent same-origin policy or Content Security Policy restrictions.

**Verification**:

# Annex D (informative): Risk identification and assessment methodology

## C.1 Assets

## D.1 Assets

### C.1.1 Data

### D.1.1 Data

_What data is stored on the product?_

### C.1.2 Product functions

### D.1.2 Product functions

_See the functions in Section 4.4._

## C.2 Threats

## D.2 Threats

_Based on the assets, what are the threats during:_

_Example threats can be found in the same documents suggested in the section on security requirements._

## C.3 Assumptions

## D.3 Assumptions

_List assumptions that are relevant to the risk analysis for these threats. Everything is hackable if you try hard enough. What kinds of threats are in and out of scope? What are you assuming is the sophistication of attack? Relate to use cases. Some examples might include:_

- _Not using sophisticated or expensive hardware snooping techniques_

- _No secret hardware backdoors in other components_

## C.4 Risk assessments of threats

## D.4 Risk assessments of threats

_For each threat identified above, use likelihood and magnitude of the threat to assess its risk in the context of use cases. The results should be consistent with the mapping of use cases to security levels._

_Describe how to treat any residual risks, for example by documenting them or informing the user._

# Annex J

- potential vulnerability

- discovered vulnerability

- known vulnerability

- publicly known vulnerability

- actively exploited vulnerability

- exploited vulnerability

- exploitable vulnerability

- known exploitable vulnerability

- known newly emerged vulnerability

- notified vulnerability

- AI specific vulnerability

- fixed vulnerability

- https://wpt.fyi/results/cors?label=stable&label=master&aligned

- https://html5test.co/ 

- https://caniuse.com/

- https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/faq.md 

- https://chromium.googlesource.com/chromium/src/+/master/docs/security/compromised-renderers.md

# Annex K

Crypto todo

,denjell,Daniels-MacBook-Pro-3.local,31.10.2025 13:16,file:///Users/denjell/Library/Application%20Support/LibreOffice/4;

 No newline at end of file