- From: Michael Cooper <cooper@w3.org>
- Date: Wed, 22 Jun 2016 14:53:39 -0400
- To: Richard Schwerdtfeger <richschwer@gmail.com>
- Cc: ARIA <public-aria@w3.org>
- Message-ID: <2f4a4c3e-b7db-e6b9-7d3f-caf348c18f10@w3.org>
On 22/06/2016 1:58 PM, Richard Schwerdtfeger wrote: > Well, > > Michael, as it turns out input type=“password” is not secure either. I > will be filing an APA issue. > This does bring up some concerns about the bar we should meet. One argument in the WG against the password role (though properly I think that is an argument against custom passwords, not the role per se) is that HTML passwords are more secure. But the HTML 5.1 password spec <https://www.w3.org/TR/html51/sec-forms.html#password-state-typepassword> doesn't say much about the security protections user agents provide, aside from "The user agent should obscure the value so that people other than the user cannot see it." For custom password fields, that would be an author responsibility, regardless of whether they use the password role. I can't find any other guidance in the HTML spec about protecting password fields, and this has likely been true for several versions. Maybe there is some de facto security implemented long ago by most browsers so there wasn't seen a need to address it in the spec, though since a main goal of HTML 5 was to document existing browser behavior, it's a surprise this didn't come up. I don't have information about what proportion of user agents do provide that security, and wonder if interoperability testing data exists on this. If Rich has found implementations that don't meet the level of security we assume, then it brings further questions about whether comparing to HTML should be a reason for decisions we make on the ARIA feature. At the moment I think the draft ARIA password role text has more security guidance for AT and authors than the HTML spec. Michael
Received on Wednesday, 22 June 2016 18:53:35 UTC