Re: Security Evaluation Request from Rich Schwerdtfeger on 2016-04-06 (public-aria@w3.org from April 2016)

From: Rich Schwerdtfeger <richschwer@gmail.com>
Date: Wed, 6 Apr 2016 15:27:55 -0500
To: Gervase Markham <gerv@mozilla.org>
Cc: Virginie.Galindo@gemalto.com, public-web-security@w3.org, ARIA <public-aria@w3.org>, Mike Cooper <cooper@w3.org>
Message-Id: <3FA021E1-B463-4537-9FC5-720759D5CDA3@gmail.com>

Gervase,

ARIA is not meant to be the web police. The reality is that people are doing this in the wild and if you are interacting with one of these things and you can’t see the screen you want to know what the intent of the author is. 

So, we agree that people should not do this but if a user encounters it they need to know what it is for. Does adding the role attribute with a value of “password" create a security problem that was not there before?

Rich

Rich Schwerdtfeger

> On Apr 6, 2016, at 4:35 AM, Gervase Markham <gerv@mozilla.org> wrote:
> 
> On 05/04/16 19:39, Richard Schwerdtfeger wrote:
>> The reason for the new role is that authors are creating custom password
>> input fields instead of the native HTML input type=“password”.
> 
> Why would we want to encourage this behaviour in any way? This seems
> like de-semanticisation of HTML, which is surely not in the ARIA Working
> Group's interest?
> 
> Gerv

Received on Wednesday, 6 April 2016 20:28:27 UTC