Skip to main content

Web Packaging

The information below is for an older proposed charter
Document Proposed charter Web Packaging WG (wpack) Snapshot
Title Web Packaging
Last updated 2020-02-07
State External Review (Message to Community, Selected by Secretariat)
WG State BOF
IESG Responsible AD Francesca Palombini
Charter edit AD Alexey Melnikov
Send notices to (None)

The WPACK working group will develop a specification for a web packaging format
that efficiently bundles multiple HTTP representations. It will also specify a
way for the publisher to sign these resources such that a user agent can trust
that they came from their claimed web origins. Key goals for WPACK are:

* Efficient storage across a range of resource combinations. Three use cases to
be supported are: a client-generated snapshot of a complete web page, a web
page's tree of JavaScript modules, and a selection of the whole web for
peer-to-peer distribution in a country when access to authoritative servers is

* The ability to create a snapshot of a web page without the cooperation of its

* The ability to use a web app online or offline, with assurance of its
publisher, after a package of it was received from a peer.

* Low latency to load a subresource from a package, whether the package is
signed or unsigned, and whether the package is streamed or loaded from
random-access storage.

* Being extensible and crypto agile.

* Security and privacy properties of using signed bundles as close as practical
to TLS 1.3 transport of the same resources. Where properties do change, the
group will document exactly what changed and how affected people, including
content publishers and users, can compensate. Part of this is analyzing how the
shift from transport security to object security changes the security
properties of the web's existing features.

* Specifying constraints on how clients load the formats without describing
specific loading algorithm to help achieve the above goals.

The packaging format will also aim to achieve the following secondary goals as
long as they don't compromise or delay the above properties.

* Optimizations in encoding and processing when only a single resource (as
opposed to a collection thereof) is being packaged

* Support signed statements about subresources beyond just assertions that
they're accurate representations of particular URLs.

* Address the threat model of a website compromised after a user first uses the

* Support books being published in the format.

* Optimize transport of large numbers of small same-origin resources.

* Allow publishers to efficiently combine sub-packages from other publishers.

The following goals are out of scope under this charter:

* DRM (Digital Rights Management)

* A way to distribute the private portions of a website. For example, WPACK
might define a way to distribute a messaging application but wouldn't
define a way to distribute individual messages without a direct connection to
the messaging application's origin server.

* Defining the details of how web browsers load the formats and interact with
any protocols we define here, aside from the constraints mentioned above.

* A way to automatically discover the URL for an accessible package that
includes specific content.

Note that consensus is required both for changes to the initially proposed
protocol mechanisms and for their retention. In particular, because something
is in an initial working group draft does not imply that there is consensus
around the feature or around how it is specified.

Relationship to Other WGs and SDOs

WPACK will work with the W3C and WHATWG to identify the existing security and
privacy models for the web, and to ensure those SDOs can define how this format
is used by web browsers.

The WPACK working group will work closely with the HTTPbis working group, in
particular WPACK will attempt to reuse HTTPBIS work on HTTP signing.