[csswg-drafts] [css-ui-4] `input-security` may be misleading (#6449)

april has just created a new issue for https://github.com/w3c/csswg-drafts:

== [css-ui-4] `input-security` may be misleading ==
Hey there! Recently stumbled across #6239, as I was asking around to see if browsers were working on a way to standardize the "bisected-eye" password reveal functionality. Edge always has it, Chrome sometimes does, Firefox doesn't, and it's a bit of an a11y nightmare as a result.

Anyways, I was quite excited to see the `input-security` proposal in #6239. Wonderful that there has been some progress on this issue. That said, I have a concern I'd like to share, from my perspective as a former security engineer at Mozilla.

The name `input-security` is fairly vague in what it is offering, and may provide people with a false sense of security as to what it does (especially as `auto`). It's clear if you read the specification, but in a general sense it may mislead people e.g. does `input-security` prevent Javascript from reading the contents or not.

What I'd like to propose is something a bit more direct in its wording, `text-concealment-toggle`:

• `text-concealment-toggle: visible` (shows the bisected eye toggle)
• `text-concealment-toggle: none` (no bisected eye)
• `text-concealment-toggle: auto` (lets the user agent decide)

With the possible suggestion that user agents SHOULD show the toggle with `auto`, for accessibility reasons.

This would also allow a more general-purpose attribute for control over the concealment of input in general, if wanted, such as on `<input type="tel">`:

• `text-concealment: auto` (lets the user agent decide)
• `text-concealment: concealed` (shows asterisks)
• `text-concealment: none` (never shows asterisks)

Thanks so much!

Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/6449 using your GitHub account

Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Wednesday, 14 July 2021 01:44:38 UTC