W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2014

Re: [MIX] PF comments on Mixed Content - accessible indication and user controls

From: Brad Hill <hillbrad@fb.com>
Date: Wed, 10 Dec 2014 23:46:20 +0000
To: Michael Cooper <cooper@w3.org>, "public-webappsec@w3.org" <public-webappsec@w3.org>, WAI Liaison <wai-liaison@w3.org>
Message-ID: <D0AE1B2C.2620%hillbrad@fb.com>
Thank you, Michael.

Please let me know if you believe the following changes are sufficient:


-Brad Hill

From: Michael Cooper <cooper@w3.org<mailto:cooper@w3.org>>
Date: Wednesday, December 10, 2014 at 9:58 AM
To: "public-webappsec@w3.org<mailto:public-webappsec@w3.org>" <public-webappsec@w3.org<mailto:public-webappsec@w3.org>>, WAI Liaison <wai-liaison@w3.org<mailto:wai-liaison@w3.org>>
Subject: [MIX] PF comments on Mixed Content - accessible indication and user controls
Resent-From: <public-webappsec@w3.org<mailto:public-webappsec@w3.org>>
Resent-Date: Wednesday, December 10, 2014 at 9:58 AM

The Protocols and Formats Working Group has reviewed the Mixed Content specification and has two comments:

1) Section 4.3 - UI Requirements http://www.w3.org/TR/2014/WD-mixed-content-20140722/#requirements-ux<https://urldefense.proofpoint.com/v1/url?u=http://www.w3.org/TR/2014/WD-mixed-content-20140722/%23requirements-ux&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=XPcXAKUl3phy%2FY%2Ft%2BlvgAEh9qYPjZHSeKjorGTIZU5s%3D%0A&s=5c5f053ec7c7d182281966f064f0648c8da272411726617ad0fe54fa6652ffbd>

There is a requirement that the UI have a visual indication as to whether the connection is secure or not:

If a request for optionally blockable passive resources which are mixed content is not treated as active content (per requirement #3 above), then the user agent MUST NOT provide the user with a visible indication that the top-level browsing context which loaded that resource is secure (for instance, via a green lock icon). The user agent SHOULD instead display a visible indication that mixed content is present.

It is important to have a requirement that the indication is also available to assistive technology. Current implementations have an image icon that is not made available to accessibility APIs.

2) Section 4.4 - User Controls http://www.w3.org/TR/2014/WD-mixed-content-20140722/#requirements-user-controls<https://urldefense.proofpoint.com/v1/url?u=http://www.w3.org/TR/2014/WD-mixed-content-20140722/%23requirements-user-controls&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=HU3cThGizwgsko8%2BWBMXZg%3D%3D%0A&m=XPcXAKUl3phy%2FY%2Ft%2BlvgAEh9qYPjZHSeKjorGTIZU5s%3D%0A&s=71fe814840bf2380b530e9334924d92417469034db7420a7920b26874757fded>

There are some MAY statements about user agents offering controls to limit exposure to blockable passive content and active mixed content.  Such controls need to be available to the assistive technology as well.

For the PFWG,
Michael Cooper

Received on Wednesday, 10 December 2014 23:46:48 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:43 UTC