- From: John Foliot <john.foliot@deque.com>
- Date: Fri, 1 Apr 2016 11:17:51 -0500
- To: Rich Schwerdtfeger <richschwer@gmail.com>
- Cc: Joseph Scheuhammer <clown@alum.mit.edu>, Cynthia Shelly <cyns@microsoft.com>, Matt King <a11ythinker@gmail.com>, Léonie Watson <tink@tink.uk>, ARIA Working Group <public-aria-admin@w3.org>, David Bolter <dbolter@mozilla.com>, Dominic Mazzoni <dmazzoni@google.com>, Chaals from Yandex <chaals@yandex-team.ru>, James Craig <jcraig@apple.com>, jamie@nvaccess.org
- Message-ID: <CAKdCpxy_R5fzbj15OOPR2QKnxLLs1LwVW82BprUGwAxza4u2SQ@mail.gmail.com>
> What you are advocating is not providing the role and leaving it open because you think we are creating another hole which I do not agree that we are. First Rich, I've politely asked that you to not make this personal. This is my second, and hopefully last request for that respect (please). For the record, it's not just *ME* who has expressed concerns over this; people like Matt King, Leonie Watson and Wendy Seltzer (W3C Legal counsel) have also spoken up with their concerns: "For example, if the screen-reader were told to obscure characters but the visible password field did not, a person using a screen-reader could be mis-led about how the interface functioned (or vice versa)." - Wendy Seltzer (https://lists.w3.org/Archives/Public/public-aria-admin/2016Mar/0023.html) "Introducing a different security hole to fix another doesn’t seem like a good solution." - Leonie Watson ( https://lists.w3.org/Archives/Public/public-aria-admin/2016Mar/0028.html) "Note that without the password role, the user is in control. All screen readers have a key for turning off key echo. So, no password role is the safer course if we can not resolve the conflict." - Matt King ( https://lists.w3.org/Archives/Public/public-aria-admin/2016Mar/0035.html) > I don’t like that you want to leave it open because we can’t tell the browser how to enforce password with an ARIA attribute. The fact that people are already not using the HTML5 password exists. Right, and so, for the non-sighted user today, a custom widget input field that doesn't have a special role of "password" defaults to a role of text-input, which, as Matt notes, is still a safer alternative. As I read the proposal today, the role="password" attribute is nothing more than a fancy accessible-name for an input that may, or may not, have the implied security associated to that input as well. Failing to address that problem is both sloppy and irresponsible in my opinion. > So, you are telling me that we should either leave password and if we put it in give the author no guidance on what they should do because it might create a greater security issue. Sorry, but I am not following your logic. My ongoing concern is this: A malicious actor can tell a blind user that the input field is a password field using the proposed role attribute, but, in fact, it isn't - that they would, in effect, use the role="password" attribute to LIE to the end user, who cannot visually verify that want the screen reader is saying ("star, star, star") is actually what is rendering on screen. You have not addressed that concern in all of your responses and put-downs of my position. For that level of trust to exist, the end user needs to rely on trusting more than just the page author, they have to trust their software tools as well. Moving forward however, yes, if the screen reader vendors agree with a MUST requirement on their software tools, then that may very likely be a solution: it is, as I noted previously, a question of trust. It is useful that Freedom Scientific has indicated agreement with Joanie's proposal ( https://lists.w3.org/Archives/Public/public-aria-admin/2016Mar/0052.html), and that Orca will also support this model, but I would love to hear feedback from both Apple and NVDA on this (as well as Dolphin Software/SuperNova, Serotek/System Access, and other screen reader vendors) before we assume this as a final decision. Partial support will be a scary scenario as well for affected users. Perhaps better still (as I have also previously proposed), the ARIA WG approach the browser vendors with our security concern, and see if they too will provide a level of "enforcement" around the newly proposed role attribute: "So unless browsers commit to treating role=”password” with the same security approach as input type=”password” we leave open a door for a security/privacy breach." - JF ( https://lists.w3.org/Archives/Public/public-aria-admin/2016Mar/0042.html) This approach, while untested today, may meet with resistance from the browser vendors - or maybe not. At a minimum, we should be asking them for their thoughts and input on this issue as well, as they *DO* have a horse in this race. JF On Thu, Mar 31, 2016 at 11:20 AM, Rich Schwerdtfeger <richschwer@gmail.com> wrote: > I spoke with Brett Lewis at Freedom Scientific and he agreed with the > solution that if a password role were applied that rather that echoing they > keys typed or speaking stars for each character typed that they need to > echo the character **rendered**. He also had no issues with making this > an author MUST for ATs because of the security issues. Users will also need > to be made aware that if they run across a password field and the > characters spoken, while typing, match their password that there are > exposed to a security risk. > > So, the net, net of this is that if we can get the ATVs to agree to this > then this would solve all the issues related to a role=“password”. > > > Rich > > Rich Schwerdtfeger > > > > > On Mar 29, 2016, at 4:01 PM, Joseph Scheuhammer <clown@alum.mit.edu> > wrote: > > On 2016-03-29 1:10 PM, Cynthia Shelly wrote: > > The password role does not prevent accessing the content of the > password field from script. > > > Somewhat tangential, but the same is true for an html5 password > <input>. Its @value attribute contains the password in plain text. > > -- > ;;;;joseph. > > 'Die Wahrheit ist Irgendwo da Draußen. Wieder.' > - C. Carter - > > > -- John Foliot Principal Accessibility Consultant Deque Systems Inc. john.foliot@deque.com Advancing the mission of digital accessibility and inclusion
Received on Friday, 1 April 2016 16:18:20 UTC