Re: Security Evaluation Request

This does make a systematic attack on those password fields a bit easier - at present if I was to write a malicious browser plugin to capture such passwords I’d have to find the field on each site (e.g. By finding the label Password) etc, it would be mildly tricky to make it work on all sites. With this ARIA tag I could do that trivially.

I suspect the real world difference in ease to write password stealing plugin is minimal, but this is a little bit worse that the current situation. It’s probably tolerable additional risk.


I agree with comments we should discourage people doing this, but given they are doing it I’d argue it should be made potentially accessible.


Ben Gidley






On 08/04/2016, 14:38, "Gervase Markham" <gerv@mozilla.org> wrote:

>On 06/04/16 21:27, Rich Schwerdtfeger wrote:
>> ARIA is not meant to be the web police. The reality is that people are
>> doing this in the wild and if you are interacting with one of these
>> things and you can’t see the screen you want to know what the intent of
>> the author is. 
>
>So the target of this feature is people who care enough about web
>accessibility to include ARIA roles, but not enough to use semantic markup?
>
>> So, we agree that people should not do this but if a user encounters it
>> they need to know what it is for. Does adding the role attribute with a
>> value of “password" create a security problem that was not there before?
>
>Well, it encourages people to use non-password fields for passwords,
>which is arguably a security problem because if people's password
>managers don't save the passwords, they are more likely to use bad
>(simple, short) passwords.
>
>Gerv
>
>

Received on Friday, 8 April 2016 13:58:09 UTC