Re: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions

On Sat, 02 Apr 2016 01:19:22 +0200, Rich Schwerdtfeger  
<richschwer@gmail.com> wrote:

> The security hole already exists whether we apply the role or not. Yes  
> it is a big concern.

Sure. A concern I have is that if we accept that browsers won't do  
anything here, then by effectively just hoping authors do the right thing,  
we're actively expanding the security hole.

I'm wondering if there is a design that doesn't do that. Also, did anyone  
ask the security IG (who do security review like APA does accessibility  
review) to take a look at this?

cheers

> Rich Schwerdtfeger
>
>
>
>
>> On Apr 1, 2016, at 6:12 PM, Chaals McCathie Nevile  
>> <chaals@yandex-team.ru> wrote:
>>
>> On Fri, 01 Apr 2016 23:55:22 +0200, Rich Schwerdtfeger  
>> <richschwer@gmail.com> wrote:
>>
>>> Hi James,
>>>
>>> Good to hear from you again.
>>>
>>> 1. Backward compatibility
>>>
>>> I understand. Is there a way for you to patch other versions?
>>
>> This is IMHO a really big concern. Given a broad deployment of stuff  
>> that can't obviously be updated, any security solution should not leave  
>> people unsecured just because they didn't upgrade. So a solution should  
>> be designed so it doesn't get applied in an insecure context, like an  
>> old AT missing the patching we hope will one day make this issue  
>> irrelevant.
>>
>> cheers
>>
>> Chaals
>>
>> --
>> Charles McCathie Nevile - web standards - CTO Office, Yandex
>> chaals@yandex-team.ru - - - Find more at http://yandex.com
>


-- 
Charles McCathie Nevile - web standards - CTO Office, Yandex
  chaals@yandex-team.ru - - - Find more at http://yandex.com

Received on Saturday, 2 April 2016 00:18:52 UTC