PFWG comments on User Interface Security Directives for Content Security Policy from Michael Cooper on 2014-06-19 (public-webappsec@w3.org from June 2014)

From: Michael Cooper <cooper@w3.org>
Date: Thu, 19 Jun 2014 09:19:30 -0400
To: public-webappsec@w3.org
CC: WAI Liaison <wai-liaison@w3.org>
Message-ID: <53A2E362.8030702@w3.org>

Below are comments from the WAI Protocols and Formats Working Group on 
User Interface Security Directives for Content Security Policy 
http://www.w3.org/TR/2014/WD-UISecurity-20140318/.

 1. We note that there are RFC2119 MUST statements in sections marked as
    informative. This is confusing for implementation requirements and
    review. Please ensure that all sections that have RFC2119 MUST
    statements are in normative sections.
 2. We welcome the section 14.1 on assistive technologies. However, we
    do think the section is clear enough as written. More detail, and
    perhaps some examples, would be welcome. Some specific questions we
    had, that we didn't now how to answer based on what was present in
    the section, include:
      * Would an app using UI Security Directives be able to be operated
        by a cloud-based screen reader, such as Web Anywhere, which
        wraps a frame around all content it reads?
        http://webanywhere.cs.washington.edu/
      * Will the input protection heuristic work when a screen
        magnifier, such as Windows Magnifier or ZoomText is running on
        the machine?
      * How will browser zooming impact the input protection heuristic? 
        What if the zoom occurs during the user interaction?
      * Some assistive technology simulates mouse actions.  How will
        this impact UI Event Handling?
      * Some assistive technology simulates user actions via platform
        accessibility APIs.  How will this impact UI Event Handling?
      * Some assistive technology simulates user actions via the DOM. 
        How will this impact UI Event Handling?
 3. In the same section 14.1, we request that the statement "User agents
    SHOULD provide a means ..." be changed to MUST and add a sentence at
    the end "The mechanism for manually disable enforcement of the Input
    Protection Heuristic MUST be operable by assistive technolgies and
    by people with cognitive disabilities who are able to understand the
    security risk."
 4. In Section 15 we request addition of the paragraph "Mechanisms for
    CAPTCHA and user verification should include options for people with
    different disabilities, including cognitive disabilities, people
    with impaired visual and auditory discrimination skills, and for
    different modalities. For example, if CAPTCHA or user verification 
    require biometrics, a choice should be offered of what biometrics to
    use, as people with different disabilities may be unable to use one
    or more specific  biometric mechanisms. Further, when two step
    verification procedures are used, any time limit is problem and it
    should not be dependent on the user's short term memory or on the
    user's ability to copy accurately. See <a
    href="http://www.w3.org/TR/turingtest/">Inaccessibility of
    CAPTCHA</a> for more information about accessible CAPTCHA."

Received on Thursday, 19 June 2014 13:19:33 UTC