Re: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions from Wendy Seltzer on 2016-03-24 (public-aria-admin@w3.org from March 2016)

From: Wendy Seltzer <wseltzer@w3.org>
Date: Thu, 24 Mar 2016 16:56:07 -0400
To: tink@tink.uk, 'Rich Schwerdtfeger' <richschwer@gmail.com>
Cc: 'ARIA Working Group' <public-aria-admin@w3.org>
Message-ID: <56F45467.7080307@w3.org>

Thanks very much, Léonie,

Yes, I think it's a security problem if what is displayed to users
through different interfaces of the same field differs. Inevitably,
someone will design a system that makes the wrong assumptions based on
what *they* encounter, and it will fail for users who get different
behavior. For example, if the screen-reader were told to obscure
characters but the visible password field did not, a person using a
screen-reader could be mis-led about how the interface functioned (or
vice versa).

The WebAppSec group could be another source for advice here. Let me know
how I can help follow-up.

Best,
--Wendy

On 03/22/2016 10:38 AM, Léonie Watson wrote:
>  
> 
> From: Rich Schwerdtfeger [mailto:richschwer@gmail.com] 
> Sent: 20 March 2016 16:5
> 
> “On the other hand, a screen reader could announce the characters being typed and not know to not do that. Furthermore, people are creating these things today and there is no way to know that the textfield is a password field. Would you prefer to not know?”
> 
>  
> 
> The role as a means to identify the purpose of the field is one thing, the described AT behaviour is another. Whilst there is a chance that what is displayed on-screen and what is announced by a screen reader may not match, there is a problem.
> 
>  
> 
> I’m at the AC meetings this week, and took the opportunity to ask a couple of privacy/security people for their thoughts, in case I am worried over nothing. Virginie Galindo and Wendy Seltzer both felt that a potential mismatch between what’s on-screen and what’s announced by a screen reader would be of concern. Wendy has suggested that WebAppsSec could take a look, which I think would be helpful.
> 
>  
> 
> Léonie.
> 
>  
> 
> @LeonieWatson tink.uk Carpie diem.
> 
> 

-- 
Wendy Seltzer -- wseltzer@w3.org +1.617.715.4883 (office)
Policy Counsel and Domain Lead, World Wide Web Consortium (W3C)
http://wendy.seltzer.org/        +1.617.863.0613 (mobile)

Received on Thursday, 24 March 2016 20:56:10 UTC