- From: Léonie Watson <tink@tink.uk>
- Date: Tue, 29 Mar 2016 14:44:00 +0100
- To: "'Wendy Seltzer'" <wseltzer@w3.org>, "'Rich Schwerdtfeger'" <richschwer@gmail.com>
- Cc: "'ARIA Working Group'" <public-aria-admin@w3.org>
> From: Wendy Seltzer [mailto:wseltzer@w3.org] > Sent: 24 March 2016 20:56 > Yes, I think it's a security problem if what is displayed to users through > different interfaces of the same field differs. Inevitably, someone will design > a system that makes the wrong assumptions based on what *they* > encounter, and it will fail for users who get different behavior. For example, > if the screen-reader were told to obscure characters but the visible password > field did not, a person using a screen-reader could be mis-led about how the > interface functioned (or vice versa). That's interesting. I hadn't considered that a purpose built attack might be created to take advantage of this security hole. > > The WebAppSec group could be another source for advice here. Let me > know how I can help follow-up. Thanks Wendy. I think this would be helpful, but will leave it with Rich. Léonie.
Received on Tuesday, 29 March 2016 13:44:36 UTC