Re: proposed responses from Loretta Guarino Reid on 2006-09-20 (public-wcag-teamc@w3.org from September 2006)

From: Loretta Guarino Reid <lguarino@adobe.com>
Date: Wed, 20 Sep 2006 07:34:34 -0700
To: Becky Gibson <Becky_Gibson@notesdev.ibm.com>, <public-wcag-teamc@w3.org>
Message-ID: <C1369F8A.16F40%lguarino@adobe.com>

Is it possible to use an example other than login? I believe the lack of
distinction as to whether the error is in the name or the password is a
security issue, so that attackers don't get feedback when they stumble onto
a valid user name.

Loretta 



> 
>> LC 979 
>> 
> http://w3.org/WAI/GL/WCAG20/issue-tracking/viewdata_individual.php?id=979
> I think Al is trying to say that we need to be more specific.  He wants to
> see clear identification of the error at level 1 and more information to
> help correct it at level 2.  In the login example, the error should be
> specific as to whether the problem is a bad username or a bad password.
> This could be identified with the proper return of error codes.  His
> example is that people following the SC as written could provide text that
> says, "bad password" for all login errors rather than just the specific
> error of bad password.  And, if the error code was more specific, an AT
> could interpret and provide the correct error (either bad password or bad
> username).  I agree that we should include the response of 626 do address
> his concern about text vs. metadata. The better way to address his concern
> might be in the how to meet section by explaining the error should be
> specific as possible.  We might also want to include and example that
> allows the AT to present the user with the information.
> 
> Example:  A login form has fields for user name and password.  A form
> submitted with a bad username will be reloaded. The form will contain an
> textual error message a the top which states, "invalid login".  The
> username field has been updated with metadata indicating that the value
> was invalid. When the user sets focus to the username field, the user
> agent and/or AT will interpret the metadata and indicate to the user that
> the current value is invalid. Thus, the user is aware from the text
> message in the form that the login was invalid and the user agent and/or
> AT can interpret additional information about the specific error (invalid
> username) and present it to the user.

Received on Wednesday, 20 September 2006 14:34:55 UTC