W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [MIX] PF comments on Mixed Content - accessible indication and user controls

From: Michael Cooper <cooper@w3.org>
Date: Wed, 17 Dec 2014 15:37:00 -0500
Message-ID: <5491E96C.4010805@w3.org>
To: Mike West <mkwst@google.com>, Brad Hill <hillbrad@fb.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>, WAI Liaison <wai-liaison@w3.org>
Thank for your prompt response to the comments filed by the PFWG. The 
group thinks the edits made largely address the comment. The PFWG has 
one request for the changes implemented: the "SHOULD" statement you 
added should be a "MUST". So the two instances of "... SHOULD also be 
made available through accessibility APIs..." we request be changed to 
"... MUST also be made available through accessibility APIs...".

The rationale is that these requirements are very important for 
situations to which they apply. They only apply when the relevant 
conditions stated in the rest of the paragraph are active. So they are 
not across-the-board requirements - but are critical when applicable. 
These relate to the requirements of User Agent Accessibility Guidelines 
success criteria 4.1.1 http://www.w3.org/TR/UAAG20/#sc_411 and 4.1.2 
http://www.w3.org/TR/UAAG20/#sc_412. (Those are provided for reference, 
not as a request to add those to the specification.)

Michael

On 11/12/2014 6:53 AM, Mike West wrote:
> Brad's changes look reasonable to me. I've merged his patch, and will 
> be happy to make further changes if deemed necessary.
>
> Thanks for reviewing the spec!
>
> -mike
>
> --
> Mike West <mkwst@google.com <mailto:mkwst@google.com>>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, 
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der 
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine 
> Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Wed, Dec 10, 2014 at 3:46 PM, Brad Hill <hillbrad@fb.com 
> <mailto:hillbrad@fb.com>> wrote:
>
>     Thank you, Michael.
>
>     Please let me know if you believe the following changes are
>     sufficient:
>
>     https://github.com/w3c/webappsec/pull/110
>
>     -Brad Hill
>
>     From: Michael Cooper <cooper@w3.org <mailto:cooper@w3.org>>
>     Date: Wednesday, December 10, 2014 at 9:58 AM
>     To: "public-webappsec@w3.org <mailto:public-webappsec@w3.org>"
>     <public-webappsec@w3.org <mailto:public-webappsec@w3.org>>, WAI
>     Liaison <wai-liaison@w3.org <mailto:wai-liaison@w3.org>>
>     Subject: [MIX] PF comments on Mixed Content - accessible
>     indication and user controls
>     Resent-From: <public-webappsec@w3.org
>     <mailto:public-webappsec@w3.org>>
>     Resent-Date: Wednesday, December 10, 2014 at 9:58 AM
>
>         The Protocols and Formats Working Group has reviewed the Mixed
>         Content specification and has two comments:
>
>         1) Section 4.3 - UI Requirements
>         http://www.w3.org/TR/2014/WD-mixed-content-20140722/#requirements-ux
>         <https://urldefense.proofpoint.com/v1/url?u=http://www.w3.org/TR/2014/WD-mixed-content-20140722/%23requirements-ux&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=XPcXAKUl3phy%2FY%2Ft%2BlvgAEh9qYPjZHSeKjorGTIZU5s%3D%0A&s=5c5f053ec7c7d182281966f064f0648c8da272411726617ad0fe54fa6652ffbd>
>
>         There is a requirement that the UI have a visual indication as
>         to whether the connection is secure or not:
>
>
>             If a request for optionally blockable passive resources
>             which are mixed content is not treated as active content
>             (per requirement #3 above), then the user agent MUST NOT
>             provide the user with a visible indication that the
>             top-level browsing context which loaded that resource is
>             secure (for instance, via a green lock icon). The user
>             agent SHOULD instead display a visible indication that
>             mixed content is present.
>
>
>         It is important to have a requirement that the indication is
>         also available to assistive technology. Current
>         implementations have an image icon that is not made available
>         to accessibility APIs.
>
>         2) Section 4.4 - User Controls
>         http://www.w3.org/TR/2014/WD-mixed-content-20140722/#requirements-user-controls
>         <https://urldefense.proofpoint.com/v1/url?u=http://www.w3.org/TR/2014/WD-mixed-content-20140722/%23requirements-user-controls&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=XPcXAKUl3phy%2FY%2Ft%2BlvgAEh9qYPjZHSeKjorGTIZU5s%3D%0A&s=71fe814840bf2380b530e9334924d92417469034db7420a7920b26874757fded>
>
>         There are some MAY statements about user agents offering
>         controls to limit exposure to blockable passive content and
>         active mixed content.  Such controls need to be available to
>         the assistive technology as well.
>
>         For the PFWG,
>         Michael Cooper
>
>
Received on Wednesday, 17 December 2014 20:37:08 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:08 UTC