Re: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions from Rich Schwerdtfeger on 2016-04-02 (public-aria-admin@w3.org from April 2016)

From: Rich Schwerdtfeger <richschwer@gmail.com>
Date: Sat, 2 Apr 2016 06:22:13 -0500
To: Chaals McCathie Nevile <chaals@yandex-team.ru>
Cc: James Teh <jamie@nvaccess.org>, John Foliot <john.foliot@deque.com>, Joseph Scheuhammer <clown@alum.mit.edu>, Cynthia Shelly <cyns@microsoft.com>, Matt King <a11ythinker@gmail.com>, Léonie Watson <tink@tink.uk>, ARIA Working Group <public-aria-admin@w3.org>, David Bolter <dbolter@mozilla.com>, Dominic Mazzoni <dmazzoni@google.com>, James Craig <jcraig@apple.com>
Message-Id: <2D8CE2C6-8EA2-459B-A2A0-D408C408D4DC@gmail.com>

No. We spoke to Microsoft browser people. They did not believe we made the problem worse.

Our solution thus far actually narrows it for screen reader users. 

I asked Cynthia to reach out to Microsoft as I felt their browser team would be more experienced in dealing with browser security issues than an interest group. That said, who do you recommend I ask in the security ig? Are they active?

Rich

Sent from my iPad

> On Apr 1, 2016, at 7:18 PM, Chaals McCathie Nevile <chaals@yandex-team.ru> wrote:
> 
>> On Sat, 02 Apr 2016 01:19:22 +0200, Rich Schwerdtfeger <richschwer@gmail.com> wrote:
>> 
>> The security hole already exists whether we apply the role or not. Yes it is a big concern.
> 
> Sure. A concern I have is that if we accept that browsers won't do anything here, then by effectively just hoping authors do the right thing, we're actively expanding the security hole.
> 
> I'm wondering if there is a design that doesn't do that. Also, did anyone ask the security IG (who do security review like APA does accessibility review) to take a look at this?
> 
> cheers
> 
>> Rich Schwerdtfeger
>> 
>> 
>> 
>> 
>>> On Apr 1, 2016, at 6:12 PM, Chaals McCathie Nevile <chaals@yandex-team.ru> wrote:
>>> 
>>> On Fri, 01 Apr 2016 23:55:22 +0200, Rich Schwerdtfeger <richschwer@gmail.com> wrote:
>>> 
>>>> Hi James,
>>>> 
>>>> Good to hear from you again.
>>>> 
>>>> 1. Backward compatibility
>>>> 
>>>> I understand. Is there a way for you to patch other versions?
>>> 
>>> This is IMHO a really big concern. Given a broad deployment of stuff that can't obviously be updated, any security solution should not leave people unsecured just because they didn't upgrade. So a solution should be designed so it doesn't get applied in an insecure context, like an old AT missing the patching we hope will one day make this issue irrelevant.
>>> 
>>> cheers
>>> 
>>> Chaals
>>> 
>>> --
>>> Charles McCathie Nevile - web standards - CTO Office, Yandex
>>> chaals@yandex-team.ru - - - Find more at http://yandex.com
>> 
> 
> 
> -- 
> Charles McCathie Nevile - web standards - CTO Office, Yandex
> chaals@yandex-team.ru - - - Find more at http://yandex.com

Received on Saturday, 2 April 2016 11:22:43 UTC