Re: [Proposal] New Guideline 6 checkpoints (APIs, Infoset, DOM) from Al Gilman on 2002-05-21 (w3c-wai-ua@w3.org from April to June 2002)

From: Al Gilman <asgilman@iamdigex.net>
Date: Tue, 21 May 2002 09:24:44 -0400
To: w3c-wai-ua@w3.org
Message-Id: <5.1.0.14.2.20020520221929.01fd22a0@pop.iamdigex.net>

At 10:40 AM 2002-05-20, Jon Gunderson wrote:
>6.5Programmatic access to user agent user interface controls.(P1)

>a. I think for the read requirement we also need a security clause to say that what is available through the read access is the same information that is available to the user through the user interface.  So for example a password box that shows asterisks to the user through the user interface, would also be the same content as a programmatic read.

We should not add this.  The value waiting to be submitted should not be obscured in the API access to the content.   However the [asterisks] should be present in the access to as-rendered content.  The password or equivalent should be marked as security sensitive.  This is accoplished by the element name in the infoset.  It is the responsibility of the AT, the co-routine receiving the API access, to handle it safely for the security sensitivity that it has.  But what is "safely" depends on the delivery context.

A user using an earphone to receive their audio readout and suppressing speaker output has probably created sufficient physical security so that the echo of this field need not be obscured.   

The default binding of the interaction defines the initial point for adaptation, but not the reference definition of the interaction.  The reference definition is what the application needs from the user to get on with doing the user's bidding.  One changes the interaction as little as possible to achieve what is needed, but in the context of what does get changed, the interaction should be fully optimized.  Optimized for usability, not just closeness to the default binding.

 http://lists.w3.org/Archives/Public/www-archive/2001Nov/0069.html

We should not be left in the position of forcing the perpetuation of a usability problem under circumstances where the security rationale is not valid.

Al

>Jon
>
>
>[1] http://lists.w3.org/Archives/Public/w3c-wai-ua/2002AprJun/0090

Received on Tuesday, 21 May 2002 09:24:47 UTC