Acceptance Criteria

Externally Supplied Content

Author: Lea Jackson, Etherel Johnson

Department: Global Application Delivery

Date created: Tuesday, 27July 2007

Date last amended: Tuesday, 16December 2008

Version: 6.3

Document Source

Distribution List

Recipient / Area / Role (Information, Review, Sign-off)
Julian Brewer / Electronic Banking / Information and distribution
Cheryl Kennedy / Electronic Banking / Information and distribution
Scott Ford / Wealth Management / Information and distribution
Duncan Smith / Barclaycard Online Product / Information and distribution
Web Development Services / GAD, UKRB Technology / Information and distribution

Purpose of Document

The purpose of this document is to provide guidelines and acceptance criteria around the hosting of externally built content. Compliance with the contents of this document will ensure that assets meet the benchmark for acceptance.

Revised Date
/ Previous Version / Summary of Changes /
New Version
08th February 2008 / 5.1 /
  • Updated Flash statistics (in Appendix)
/ 5.2
27th March 2008 / 5.2 /
  • Added section D.4
/ 5.3
31st March 2008 / 5.3 /
  • Updated DDA checklist with new version 4.8
/ 5.4
06th May 2008 / 5.4 /
  • Updated Flash statistics (in Appendix)
  • Added Validation Checklist (in Appendix)
/ 5.5
27th May 2008 / 5.6 /
  • T6 - Added Barclays Application Design Review requirement
  • T6 – Added htmlspecialchars usage requirement
  • T6 – Added validation requirement
/ 5.7
5th June 2008 / 5.7 /
  • T6 – Added PHP Coding Standards reference and link

10th June 2008 / 5.7 /
  • Removed Perl CGI from Technology offerings and configurations table
  • Adding Guidelines and Recommendations section
  • G.1 - Added SEO guidelines
  • G.2 – Added guidelines for Flash video
  • S.4 – Added data feed requirement
/ 5.8
24th September 2008 / 5.8 /
  • R.5 – Updated text to “Will have to resolve any issues that are uncovered from the Web Development Services Quality Assurance testing.”
  • T.7 – Added code for PHP DOCTYPE Switcher
/ 5.9
13th October 2008 / 5.9 /
  • Updated version of Apache and PHP in ‘Technology Offerings and Configurations’
/ 6.0
13th November 2008 / 6.0 /
  • Updated supported browser version (in Appendix)
  • Updated Flash statistics (in Appendix)
/ 6.1
28th November 2008 / 6.1 /
  • T.11 – Use of built in Oracle Functions added
/ 6.2
16th December 2008 / 6.2 /
  • Updated DDA Checklist in Appendix R.3a following the release of v4.9 of the checklist by the EDA
/ 6.3

Acceptance Criteria

Domains / Area / Description / Reference
Delivery / Format / Should be in one of the following formats:
- Email (zip file)
- File on their own extranet (zip file): the extranet should be tested and confirmed as accessible by Web Development Servicesprior to commencement of project work.
- File on a USB stick (zip file) / D.1
Date / Should be delivered as specified by the Web Development ServicesProject team. / D.2
Handover / A handover document must be supplied. This is a technical summary of the site and must contain the following information as a minimum:
- Number of pages
- Graphics – average size (max 30k)
- PSD files of graphics to be supported
- Functionality specification of the site.
E.g. Email, Forms, Validation (see appendix) and Security Requirements
- Life span of the site.
- Projected volumes
- Expected support model / D.3
Wireframes / Page Design / All final page designs (supplied in PSD, GIF, JPG format) must comply with the branding guidelines and technological constraints.
Including:
Live Text, i.e. text that will be rendered by the browser must use a common font (typically Verdana) and must notuse a Barclays font (e.g. Barclays Sans or Expert Sans) / D.4
Roles/Ownership / Stakeholder / Must ensure that the content delivered is final and signed-off / R.1
Must complete testing on the Third Party/External Agency test server prior to delivery of content for hosting. I.e. the Stakeholdermust provide documented evidence of testing and test results confirming testing has been completed and the site is ready for hosting. UAT will still be required on the Barclays domain prior to live. / R.2
Must ensure the External Agency completes:
- DDA (Disability Discrimination Act) Checklist (see appendix R.3a)
- Site Optimisation checklist (see appendix R.3b).
The completed Checklists should be provided with the content. / R.3
Agency / Any amends/corrections to the site and its contents are the responsibility of the External Agency employed by the stakeholder until the site has gone live and accepted in to formal BAU (acceptance into formal BAU is the adherence of this criteria document) when the normal BAU (ESP) process must then be followed.
Any warranty agreements must continue to be honoured. / R.4
Will have to resolve any issues that are uncovered from the Web Development Services Quality Assurance testing. / R.5
Will have to ensure that any code developed takes into account the Security and Hosting concerns of the domain. / R.6
Technical / Accessibility / All code is well formed and passes the W3C validation
/ T.1
Format / Content to be built according to the technical configuration of the domain the content is to be hosted on (see Technology Offerings and Configurations table below).
N.B. All ‘home’ pages must be named ‘index.html’ (not ‘default.htm’ or ‘home.htm’ or other such names). / T.2
Page (File) / Folder (Directory) naming / The following page/folder naming standards and recommendations should be adhered to:
-Avoid hyphens
-Avoid underscores
-No capitalisation
-No spaces
-Full stops to be used only to separate filename from extension (e.g. no my.page.html)
-All HTML or PHP files that are accessible to the public have a .html extension
-All names must start with a letter and be meaningful (e.g. no 1.html or tyt888.html)
-The default page in a folder must be called index.html
There is a list of keywords that must not be used in file or folder names as this will stop the page/folder from being transferred to the Preview and Live servers.
See appendix for full list of blocked keywords. / T.3
Browsers / All content has been tested against:
IE 6, 7 (and 8 beta where possible)
Mozilla Firefox 2, 3
Safari 2
See appendix for more details. / T.4
Page & image download speed / Ensure all pages download initial content within 25 seconds via a dial up connection (assuming a connection speed of 40Kbits per second).Streaming components of the page are not be covered by this rule.
GREENEvery page should be displayed and in a usable state within 17 seconds.
AMBER If the page takes between 17 and 25 seconds to be displayed the code and images must be reviewed to ensure all optimisation tasks have been completed.
REDAny page taking more than 25 seconds to display has failed.
17secs equates to 85Kb total download size
25secs equates to 125Kb total download size / T.5
PHP / All application designsmust be reviewed by Barclays Technical Designers to ensure alignment with infrastructure and application design practices, prior to build.The following are some points that should be considered during the design process:
Registered variables must not be used.
Global variables should be used sparingly. Session data should be maintained and stored within a database, or transferred from page to page via hidden variables.
All web applications must be designed using an Object Oriented approach, PHP Patterns and the PHP Coding Standards where possible (see Appendix for more details).
Include files should reside within an ‘includes’ folder alongside the ‘htdocs’ folder of the web tree.
Where an application resides in a subfolder of ‘htdocs’ the application includes should also reside in a subfolder of ‘includes’ of the same name.
All user inputted data that is written back to the browser must be protected using PHP’s htmlspecialchars function.
All user inputted data must be validated that it meets requirements.
All variables embedded into SQL queries must be checked for SQL injection exploits (See Appendix for more details).
No data must be written to the webserver.
Session data should be held within an oracle database table referenced by a secure cookie. / T.6
HTML / All HTML must be scripted for:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"
If this is the case, please replace the usual “DOCTYPE” code with the following code.
<?php
include_once "xhtml-header.phpt";
?>
If you require more information regarding the replacement code please contact Web Development Services.
Deviations from this will require Global Application Delivery dispensation. / T.7
Flash / To maximise the number of customers who will be able to view Flash file CIO strongly recommends Flash files are built to display in Flash 8.
The business can opt to allow for these files to be built in a higher version if they are prepared to accept that a reduced number of customers will be able to see the Flash file.
It is essential that a non-flash version (i.e. a JPG, GIF or PNG file) is displayed for any customers who do not have the appropriate Flash plug-in installed on their browser.
See appendix for Flash penetration tests. / T.8
Tracking Tags / Please check with CIO before implementing any tracking tags as they may have a preferred method of implementation.
I.e. For the ‘Bigmouth’ tag CIO has a section of PHP code that will build the tag with its dynamic components. / T.9
error.html –
404 Error page / A 404 error page must be supplied using the same branding/look as rest of site.
This page must be called error.html and be stored in the root of the htdocs folder.
As a minimum this page must contain a link to allow the user to be taken back to the site’s home page. Ideally it should also provide a link to the site’s ‘site map’ page. / T.10
Oracle / The Oracle Database does NOT support the use of Oracle Stored Procedures.
All SQL Select, Insert, Update and Delete queries should be written and run from a PHP interface.
This allows us to keep all operational logic together.
Where required the use of Oracle Sequences is permitted. The use of Oracle Triggers are permitted but discouraged for the reason stated above. / T.11
Security / Penetration Tests / Penetration tests are mandatory for all functional applications unless advised otherwise by IT Security / S.1
Encryption / PGP/GPG Encryption should be used to encrypt all data being delivered to us via file transfer or sent from our infrastructure via email. / S.2
SSL / When data pertaining to the identity or contact details of our customers is being collected or transmitted via the http the connection must be over SSL i.e. https / S.3
Data Feeds / All data feeds from 3rd parties into Barclays hosted sites are to be over a secure session. / S.4

Guidelines and Recommendations

Area / Description / Version
SEO / See Appendices for SEO guidelines provided by Big Mouth Media / G.1
Flash video / See Appendices for Recommendations for Flash video hosted on Globix / G.2

Technology Offerings and Configurations

Domains / Description / Version
Globix domains
(new & existing) / PHP 4
curl support
extension_dir:/usr/local/lib/
post max size: 8M
GD support (2.0 compatible, JPG, PNG GIF)
Mcrypr support (>=2.4)
OCI8 support
PDFlib GmbH (6.0.3p1)
Registered variables: off
Expat XML support / 4.4
Apache 2 / 2.059
cURL / 7.10.3
SendMail (and Email Delivery Management)
SSL Certificates (on a per domain basis)
Oracle / 9.0
GnuPG
RSA Token Authentication

Appendices

Description / File/URL / Reference
DDA / / R.3a
Site optimisation / / R.3b
Page/Folder naming – Blocked Keywords / / T.3
Browser Testing/Support / / T.4
PHP Patterns / / T.6
PHP SQL Injection / / T.6
PHP Coding Standards / / T.6
Flash Penetration / Adobe Flash Player Version Penetration
Ubiquity of Adobe Flash Player by Version — September 2008
FlashPlayer7 / FlashPlayer8 / FlashPlayer9 / FlashPlayer9.0.115
Europe / 99.1% / 98.9% / 98.0% / 88.6%
Source: / T.8
Standard Validation Testing / / D.3
SEO guidelines / / G.1
Flash video / / G.2

-- END --

Application Delivery - Global Application Delivery Services

- Page 1 -