- From: Richard Schwerdtfeger <richschwer@gmail.com>
- Date: Sat, 2 Apr 2016 07:34:31 -0500
- To: tink@tink.uk
- Cc: Chaals McCathie Nevile <chaals@yandex-team.ru>, James Teh <jamie@nvaccess.org>, John Foliot <john.foliot@deque.com>, Joseph Scheuhammer <clown@alum.mit.edu>, Cynthia Shelly <cyns@microsoft.com>, Matt King <a11ythinker@gmail.com>, ARIA Working Group <public-aria-admin@w3.org>, David Bolter <dbolter@mozilla.com>, Dominic Mazzoni <dmazzoni@google.com>, James Craig <jcraig@apple.com>
> On Apr 2, 2016, at 6:37 AM, Léonie Watson <tink@tink.uk> wrote: > >> From: Rich Schwerdtfeger [mailto:richschwer@gmail.com] >> Sent: 02 April 2016 12:22 >> >> No. We spoke to Microsoft browser people. They did not believe we made >> the problem worse. > > We also heard from Wendy Seltzer, who agreed that the proposed role > definition represented a risk because of the possible discrepancy between > the visual and aural representations. > Our revised text says the AT should read the actual rendered text. If the AT reads the actual rendered text how is that a discrepancy between the visual and aural rendering? Currently, without a password role the potential exists for a discrepancy between the spoken text and obscured text with custom password fields. Backward compatibility issues will exist unless AT vendors can patch old code or we create a custom password role in the AAPI mappings that allows for a fallback to a text field which would be as insecure as the situation is now where the user may or may not determine that they have a password field and the text typed is spoken. >> >> Our solution thus far actually narrows it for screen reader users. >> > No, I'm sorry, it doesn't. It changes the security risk, it doesn't narrow > it down. If anything the uncertainty factor makes it a much more serious > problem. > > The updated role definition is a step in the right direction, but Jamie Teh > raises some valid points. > > We need to hear from other SR vendors including Apple, Dolphin and > GWMicro/AISquared, and it would be helpful if we could point to wherever > Freedom Scientific and others have expressed their commitment to > implementing the role as described. Apple has been copied but has not weighed in. They are a part of the ARIA WG. I will ask Freedom to give you their response on the list. I have a to-do to reach out to other vendors - previous post. Dolphin and GW Micro were on my list to reach out to. However, it is impractical to ask the working group to reach out to every vendor possible. For example, their are screen reader vendors in Japan. As chair I am going to draw a line there. We need to prove 2 implementations and although this is not a MUST statement I think for security we should try to get 2 implementations regardless. More than that is beyond what is required by the working group. The > >> I asked Cynthia to reach out to Microsoft as I felt their browser team > would >> be more experienced in dealing with browser security issues than an > interest >> group. That said, who do you recommend I ask in the security ig? Are they >> active? > > Wendy offered a review by WebAppsSec. Perhaps we could take her up on that > offer? > > Léonie. > > -- > @LeonieWatson tink.uk Carpe diem. > > > >
Received on Saturday, 2 April 2016 12:35:07 UTC