RE: Issue 948 SC 1.3.5 Identify Input Purpose - autocomplete technique VS Privacy/Security from White, Jason J on 2018-06-05 (w3c-wai-gl@w3.org from April to June 2018)

From: White, Jason J <jjwhite@ets.org>
Date: Tue, 5 Jun 2018 22:57:22 +0000
To: Alastair Campbell <acampbell@nomensa.com>
CC: WCAG <w3c-wai-gl@w3.org>
Message-ID: <DM5PR07MB38683E963796F0DB91B5A4B4AB660@DM5PR07MB3868.namprd07.prod.outlook.com>
I think the note would be more beneficial to organizations that are in a position to educate users in taking precautions with their “autocomplete” data, than to Web content developers. However, including such a note with the technique and enabling the EO working group to take the issue into account is the most that this working group could reasonably do under the circumtances.

From: Alastair Campbell <acampbell@nomensa.com>
Sent: Tuesday, June 5, 2018 6:17 PM
To: White, Jason J <JJWHITE@ets.org>
Cc: WCAG <w3c-wai-gl@w3.org>
Subject: RE: Issue 948 SC 1.3.5 Identify Input Purpose - autocomplete technique VS Privacy/Security

Hi Jason,

That’s a slightly different issue, and one that has been raised and answered previously:
https://github.com/w3c/wcag21/issues/590#issuecomment-359288754<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fwcag21%2Fissues%2F590%23issuecomment-359288754&data=02%7C01%7Cjjwhite%40ets.org%7C305871b8fb9b4cd81c2208d5cb321a81%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C636638338419875654&sdata=vRf4H9CmIKmtztwkfU1mT5FmB%2F4mcjz2LcToOmRyC9I%3D&reserved=0>

It generated a bug on HTML, which was resolved by including in HTML5.3(?) that “User agents should verify that all fields with the [autocomplete] attribute  wearing the <a>autofill expectation mantle</a> are visible within the viewport before automatically entering data.”
https://github.com/w3c/html/issues/1285<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c%2Fhtml%2Fissues%2F1285&data=02%7C01%7Cjjwhite%40ets.org%7C305871b8fb9b4cd81c2208d5cb321a81%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C636638338419885663&sdata=zplwCgnVN1dvd9QwqyBedMjTcucfJ7OtTAxy7E609nQ%3D&reserved=0>

Adding a note is fine, I think it would be most appropriate on the technique for autofill.

However, I’m not sure what it would say as we don’t currently have an alternative (accessibility supported) technique to propose. So it would basically say: Use this technique, but just so you know here are some privacy & security issues with it… but you still have to use it.

One of the issues is something that the user-agents will have to tackle regardless of WCAG 2.1, and this latest one doesn’t really seem to be an issue.

Is it worth a note?

-Alastair


From: White, Jason J

Safari under Mac OS doesn’t complete form fields unless I move focus to the field and explicitly choose to invoke the automatic completion.

I don’t know whether other browsers will follow this example. Privacy concerns associated with autocomplete have surfaced recently, focusing on exploitation by third-party tracking scripts associated, presumably, with advertising.
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffreedom-to-tinker.com%2F2017%2F12%2F27%2Fno-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers%2F&data=02%7C01%7Cjjwhite%40ets.org%7C305871b8fb9b4cd81c2208d5cb321a81%7C0ba6e9b760b34fae92f37e6ddd9e9b65%7C0%7C0%7C636638338419895675&sdata=mMcs0nIFSHueHpWpnYjr08Njw1xFXYKXdrTXPf0LKn0%3D&reserved=0>

It should be noted that, as emphasized in the article, the feature is working as designed – there’s no hitherto unknown vulnerability here.

I would suggest including the “autocomplete” technique as planned, but adding a note (if it isn’t already in the draft) on its privacy and security implications.
________________________________

________________________________

This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.

________________________________
Received on Tuesday, 5 June 2018 22:57:51 UTC