Joey StanfordFeb 5
Open Web Docs

Do you delegate web security to security specialists or are you responsible yourself for implementing web security features and practices?

The W3C SWAG CG survey asks this and other questions and we would value your input as we create Web Security documentation.

https://docs.google.com/forms/d/e/1FAIpQLScbKJL2Q8XABAHVystmqGU2lQoE0tAJSL_dwhvwPwBcJ-M4fQ/viewform?usp=header

Web security survey

Thanks for taking our survey about the usage of web platform security features. We're the W3C Security Web Application Guidelines Community Group (SWAG CG), and our mission is to develop guidelines for the usage of web platform security features, to help web developers secure their sites. We're trying to understand whether developers are using specific web platform security features, and what the barriers are to the adoption of these features. The survey itself is in three parts: 1. About you: this section asks some questions about you and your level of experience of both general web development technology and web security technology in particular. This helps us understand how different individuals have different perspectives on web security, and helps us design guidelines to help as many developers as possible. 2. Web security features: this asks some questions about your usage of some specific web platform security features. 3. Web security interview: this asks if you would be willing to participate in a short interview with members of SWAG CG, so we can understand better why you use, or don't use, particular features. This information is especially important to us, because it's the kind of qualitative data we can't get through analytics. So if you can spend a little time to talk to us, it would be very much appreciated.

Google Docs
Feb 4 at 12:23pmWeb
Show threadOlivier BergerFeb 5
@openwebdocs
Why on Google ?
Show threadBruno GirinFeb 5

@openwebdocs
This question has a yes/no answer but is not worded in a way that asks yes or no:

When you set cookies that contain a user's login credentials (such as a session ID), do you set the SameSite attribute to "Lax" or "Strict", to control whether the cookie is included in cross-site requests?

Show threadMartin SchlegelFeb 5

@brunogirin @openwebdocs I read the question as "do you set it at all" not "what value do you set it to".

I would've liked a "not aplicable" option at several points. What if I just don't embed any external js etc. My company does have web/browser based products but: little to no js, no external js in most products, no user info besides login/session id, usually runs disconnected from the open internet within internal networks... maybe I wasn't the target group..

Show threadOpen Web DocsFeb 6

@martinschlegel @brunogirin

First point, yes, that is the intention. It's intended to be read like:
1 ) you set the attribute to Lax or Strict: answer yes
2 ) you don't set the attribute to Lax or Strict: answer no

Show threadOpen Web DocsFeb 6

@martinschlegel @brunogirin

Second point: you absolutely are the target group!
In the original version of the survey we had "why" questions after each yes/no question - so in your case it would be "no", and "why" would be "because we don't need to take this measure" (where alternative "why" options would be something like "because we couldn't get it to work" or "because we didn't know about it").

Show threadOpen Web DocsFeb 6

@martinschlegel @brunogirin

However, including these made the survey pretty long we ended up taking it out and deferring that to interviews, which is the reason we ask if people would be prepared to have an interview.

Would you be up to get interviewed about this?

Show threadMartin SchlegelFeb 6
@openwebdocs @brunogirin ok, interesting. Thanks for the response :)