_Should you need a step-by-step guide for drafting an ETSI deliverable, please consult the "_[_Principles for Drafting ETSI Deliverables_ ](_Principles for Drafting ETSI Deliverables_ )_" document. Otherwise you may contact us at_ [_edithelp@etsi.org_ ](mailto:edithelp@etsi.org).
<br/>
@@ -146,14 +139,42 @@ In the present document "**should** ", "**should not** ", "**may** ", "**need no
# Introduction
This European harmonised standard defines cybersecurity requirements applicable to browsers.
This document will provide security requirements and assessment criteria covering all elements defined in CRA Annex I Part 1 and Part 2 for stand alone browsers, as mentioned in CRA Annex III Class I important products.
This work item intends to produce an EN as candidate for harmonisation, under the standardisation request in support of the implementation of the CRA (M/606).
<br/>
# 1 Scope
The present document ...
This standard focuses on browsers, both standalone and embedded. Browsers are software products with digital elements that enable end users to access and interact with web content hosted on servers that are connected to local and remote networks.
Within the context of an operating system, browsers are user-applications with a primary function and probable daily use. They are often leveraged as means of accessing remote authentication (single-sign-on) or even as a bridge (deep-link) to another application that has already been installed. In both cases, all systems have the notion of a “default browser” that can then be instrumented by other applications to navigate to a website or perform such an activity.
The activity of browsing can be defined in the following steps:
1. A machine acquires source code, such as HTML, JavaScript, and CSS.
2. This source is represented visually, acoustically, or in some other form.
3. The user interacts with this representation by looking, reading, entering data, clicking, etc.
## 1.1 Browser
### 1.1.1 Standalone
Standalone browsers are standalone applications that fulfil the functions of browsing.
They are monolithic programs with features that enable their users to undertake the activity of “browsing” as described above. A standalone browser may be used for everyday tasks such as reading email, managing a calendar, or consuming the news.
Such programs commonly have interfaces for managing multiple websites, browsing history, bookmarks, user identities, passwords, and other settings.
They can commonly be extended with browser extensions, which are products with digital elements that have the ability to read, store, and modify the websites that users interact with.
### 1.1.2 Embedded
Embedded browsers are browsing services that are integrated into another system or application.
As such, they are programs using the same baseline technology of browsing but are commonly used for “single purpose” browsing. This means that instead of opening the user’s preferred standalone browser, the hosting application will open an embedded browser to keep the user’s attention. It is not common for a user to be able to change the configuration of an embedded browser.
In a PWA or Progressive Web App, an application can be “installed” to the user’s device from a standalone browser, and then interacted with in an isolated context as if it were a native application.
# 2 References
@@ -177,23 +198,69 @@ The following referenced documents may be useful in implementing an ETSI deliver
For the purposes of the present document, the [following] terms [given in ... and the following] apply:
Browsers: In the context of this category of products, browsers are software products with digital elements that enable end users to access and interact with web content hosted on servers that are
connected to local and remote networks.
Embedded Browsers: Embedded browsers are browsers that are intended for integration into another system or application.
Standalone Browsers: Standalone browsers are standalone applications that fulfil the functions of browsers.
Likelihood: The probability or frequency of a threat event occurring. This is influenced by various likelihood factors.
Impact: The magnitude of harm if a threat event materialises. This is determined by various impact factors.
Intended purpose: [to be defined]
Operational environment/categories of users: [to be defined]
Reasonably foreseeable use: [to be defined]
## 3.2 Symbols
For the purposes of the present document, the [following] symbols [given in ... and the following] apply:
[to be added]
# 4 Compliant Products
## 4.1 Standalone Browsers
### 4.1.1 In-Scope components
The following components are within the product boundary of the standard:
- [to be defined]
### 4.1.2 Out-of-scope components
The following are considered outside the product boundary but may be security-relevant environmental components:
- [to be defined]
## 3.3 Abbreviations
## 4.2 Embedded Browsers
### 4.2.1 In-Scope components
The following components are within the product boundary of the standard:
- [to be defined]
For the purposes of the present document, the [following] abbreviations [given in ... and the following] apply:
### 4.2.2 Out-of-scope components
The following are considered outside the product boundary but may be security-relevant environmental components:
- [to be defined]
# 5 Representative Use Cases
## 5.1 Purpose and Rationale
In accordance with the proportionality principle mandated by the CRA, this clause defines representative use cases for password managers. These use cases illustrate typical deployment contexts that influence the selection and applicability of security requirements.
Each use case is associated with a general risk level, derived directly from the application of the risk assessment methodology detailed in Annex A. This risk management level serves as a foundational element for determining the stringency of security requirements. While these use cases are representative, specific deployment scenarios will necessitate a more granular and detailed risk assessment, also guided by Annex A.
## 5.2 Use Cases for Browsers
UC-B1:
- Description:
- Example environments:
- Risk level: (see Annex ??)
# 4 User defined clause(s) from here onwards
UC-B2:
- Description:
- Example environments:
- Risk level: (see Annex ??)
## 4.1 User defined subdivisions of clause(s) from here onwards
UC-B3:
- Description:
- Example environments:
- Risk level: (see Annex ??)
<br/>
@@ -233,14 +300,8 @@ For the purposes of the present document, the [following] abbreviations [given i
