- From: <chaals@yandex-team.ru>
- Date: Wed, 10 Dec 2014 05:45:33 +0300
- To: W3C Privacy IG <public-privacy@w3.org>
Hi folks, (sorry, I just managed to join the mailing list - I had thought it happened automatically. I'll introduce myself later…) I have an action from the W3C HTML accessibility task force to ask you to look at bug 23614 <https://www.w3.org/Bugs/Public/show_bug.cgi?id=23614>, which suggests that accessKeyLabel might expose user information. accesskey is an HTML attribute to provide a keyboard shortcut for a link, button, etc. It suggests a list of possible keys to use. But the browser decides what *actual* key combination to use, and exposes that through the accessKeyLabel property in the DOM. For example consider a link written as <a href="foo" accesskey="f o 0">… The browser may have reserved every combination based on the "f" and "o" keys, and decide to use ctrl-option-0 as the shortcut for that link. If it does things right, the link will then have a DOM attribute of accessKeyLabel with the value "ctrl-option-0". The concern is that this enables fingerprinting, or determining something about what systems (especially extensions and assistive technology) the user has installed, which in turn exposes personal information about the user. Is this a real problem we should consider? cheers Chaals -- Charles McCathie Nevile - web standards - CTO Office, Yandex chaals@yandex-team.ru - - - Find more at http://yandex.com
Received on Wednesday, 10 December 2014 02:46:03 UTC