W3C home > Mailing lists > Public > public-aria-admin@w3.org > March 2016

RE: 7 Day Call for Consensus March 17, 2016 ARIA Working Group Resolutions

From: Léonie Watson <tink@tink.uk>
Date: Tue, 29 Mar 2016 14:44:00 +0100
To: "'Wendy Seltzer'" <wseltzer@w3.org>, "'Rich Schwerdtfeger'" <richschwer@gmail.com>
Cc: "'ARIA Working Group'" <public-aria-admin@w3.org>
Message-ID: <18f9a01d189c1$1025c820$30715860$@tink.uk>
> From: Wendy Seltzer [mailto:wseltzer@w3.org]
> Sent: 24 March 2016 20:56
> Yes, I think it's a security problem if what is displayed to users through
> different interfaces of the same field differs. Inevitably, someone will design
> a system that makes the wrong assumptions based on what *they*
> encounter, and it will fail for users who get different behavior. For example,
> if the screen-reader were told to obscure characters but the visible password
> field did not, a person using a screen-reader could be mis-led about how the
> interface functioned (or vice versa).

That's interesting. I hadn't considered that a purpose built attack might be created to take advantage of this security hole.

> The WebAppSec group could be another source for advice here. Let me
> know how I can help follow-up.

Thanks Wendy. I think this would be helpful, but will leave it with Rich.

Received on Tuesday, 29 March 2016 13:44:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:59:02 UTC