A presentation at W3C Workshop Secure the Web Forward by Tobie Langel
Open source security has increasingly become a top concern due to numerous high-profile and high-impact vulnerabilities affecting critical open source projects that underpin the internet’s infrastructure. Over the years, various industry efforts have aimed to address this issue, with a renewed sense of urgency emerging recently. The White House and the EU Commission have taken notice, and legislative efforts are underway across multiple jurisdictions. Open source security is now increasingly framed as a software supply chain issue.
In this context, the OpenSSF has launched an ambitious new project called Alpha-Omega. Most of the open source projects identified by Alpha-Omega fit well within the activity streams defined by the OpenSSF’s Open Source Software Security Mobilization Plan. they are, after all, the infrastructure building blocks that this initiative was designed to harden.
A few projects, however, stand out. jQuery is one of them.
Originally released in 2006, jQuery has significantly impacted both web developers and browser vendors by addressing browser interoperability issues through a unified and enjoyable-to-use API. This has empowered web developers, accelerated the advent of the Web as an application platform, and driven the adoption of better Web standards and more interoperable implementations.
Despite newer frameworks like React, Vue.js, and Svelte gaining popularity, jQuery remains an essential feature of the Web. As of today, it is present in a staggering 78% of the top 1 million websites, according to BuiltWith. For context, React is only found on 14% of the same sample, and most other JavaScript libraries that appeared in the meantime (e.g., Twitter Bootstrap, Modernizr, or Backbone) have fallen out of favor.
jQuery’s massive reach and longevity aren’t its only unique aspects. It’s also one of the rare JavaScript libraries identified by Alpha-Omega that is directly consumer-facing—effectively running on billions of consumer devices—and it runs inside the browser sandbox. This combination creates a different set of security concerns and calls for a dedicated approach.
While this approach is specific to jQuery in this context, it touches on several broader points relevant to this audience, notably:
This project also provides an opportunity to explore improving the security of end-users on the web through multi-modal approaches across:
Once again—and against all odds—jQuery can be a trailblazer and help move the web forward.