- From: Michael Pluke <Mike.Pluke@castle-consult.com>
- Date: Thu, 9 Feb 2017 22:32:05 +0000
- To: David MacDonald <david@can-adapt.com>
- CC: Sailesh Panchang <sailesh.panchang@deque.com>, EA Draffan <ead@ecs.soton.ac.uk>, WCAG <w3c-wai-gl@w3.org>, Jonathan Avila <jon.avila@ssbbartgroup.com>, Alastair Campbell <acampbell@nomensa.com>, Glenda Sims <glenda.sims@deque.com>, Gregg C Vanderheiden <greggvan@umd.edu>
- Message-ID: <bfac679078974f1db07c1402623d83ff@E15MADAG-D05N01.sh11.lan>
I’m sure that you’ve correctly identified the problem with simply elevating SC 2.2.5 to a higher level. I personally like the suggested additional text that might be sufficient to allow us to have a new level A or AA SC. Best regards Mike From: David MacDonald [mailto:david@can-adapt.com] Sent: 09 February 2017 17:17 To: Michael Pluke <Mike.Pluke@castle-consult.com> Cc: Sailesh Panchang <sailesh.panchang@deque.com>; EA Draffan <ead@ecs.soton.ac.uk>; WCAG <w3c-wai-gl@w3.org>; Jonathan Avila <jon.avila@ssbbartgroup.com>; Alastair Campbell <acampbell@nomensa.com>; Glenda Sims <glenda.sims@deque.com>; Gregg C Vanderheiden <greggvan@umd.edu> Subject: Re: Timing Adjustable: does it apply to timeout from inactivity (no mouse, keyboard activity) >>I’d be happier to imagine a world where some users are unavoidably timed out of sessions (for security reasons or reasons beyond their control) but where they could always guarantee to re-enter the session at the same point without having lost any entered information and choices made. Me too... I believe there were some difficulties in getting that through in WCAg 2. We really tried, but security people shot it down...maybe this time around we can scope out those situations that are concerning about storing data that the user filled in... perhaps we could say something like "...preserving all of the data entered and steps completed by the user, and allowing them to return to the step at which they were forcibly logged out... if such data was stored and is retrievable." Cheers, David MacDonald CanAdapt Solutions Inc. Tel: 613.235.4902 LinkedIn <http://www.linkedin.com/in/davidmacdonald100> twitter.com/davidmacd<http://twitter.com/davidmacd> GitHub<https://github.com/DavidMacDonald> www.Can-Adapt.com<http://www.can-adapt.com/> Adapting the web to all users Including those with disabilities If you are not the intended recipient, please review our privacy policy<http://www.davidmacd.com/disclaimer.html> On Thu, Feb 9, 2017 at 11:57 AM, Michael Pluke <Mike.Pluke@castle-consult.com<mailto:Mike.Pluke@castle-consult.com>> wrote: You are right that "preserving all of the data entered and steps completed by the user, and allowing them to return to the step at which they were forcibly logged out" is really the same as what SC 2.2.5 proposes – but unfortunately it is only AAA. However, Jason White is right when he highlights the importance of this aspect of the proposal and says it “is an aspect of the proposal that should be supported in relation to time limits for which it makes sense.” What might be good is to see if it is possible to break this out and “identify the time limits for which it makes sense”, include those in the scope, and create a new success criteria that elevates this to at least AA, preferably to A. I’d be happier to imagine a world where some users are unavoidably timed out of sessions (for security reasons or reasons beyond their control) but where they could always guarantee to re-enter the session at the same point without having lost any entered information and choices made. Best regards Mike From: Sailesh Panchang [mailto:sailesh.panchang@deque.com<mailto:sailesh.panchang@deque.com>] Sent: 09 February 2017 16:21 To: David MacDonald <david@can-adapt.com<mailto:david@can-adapt.com>> Cc: EA Draffan <ead@ecs.soton.ac.uk<mailto:ead@ecs.soton.ac.uk>>; WCAG <w3c-wai-gl@w3.org<mailto:w3c-wai-gl@w3.org>>; Jonathan Avila <jon.avila@ssbbartgroup.com<mailto:jon.avila@ssbbartgroup.com>>; Alastair Campbell <acampbell@nomensa.com<mailto:acampbell@nomensa.com>>; Glenda Sims <glenda.sims@deque.com<mailto:glenda.sims@deque.com>>; Gregg C Vanderheiden <greggvan@umd.edu<mailto:greggvan@umd.edu>> Subject: Re: Timing Adjustable: does it apply to timeout from inactivity (no mouse, keyboard activity) If the user fails to convey activity or to respond to the 'Continue session?' dialog then it is ok to be timed out. If the application is going to permit one to extend session say a limited number of times, then it is important for the dialog to convey that. i.e. "Continue session? (8 attempts left)' I usually recommend pretty much what the WCAG says: "Warn the user before time expires and give the user at least 20 seconds to extend the time limit with a simple action (for example, "press the space bar"). Show this warning a few times as considered reasonable (WCAG suggests at least ten times)". Content authors can then balance security and accessibility requirements. By the way, I find some applications do a poor job of sensing activity and the popup appears even as one is interacting with an application: even apps that for which timing is not criticaal, like entering data into an online tax app as against an online ticket purchase site. Is what Jason requests, "preserving all of the data entered and steps completed by the user, and allowing them to return to the step at which they were forcibly logged out" not the same as what SC 2.2.5 suggests? Thanks and regards, Sailesh Panchang On 2/9/17, David MacDonald <david@can-adapt.com><mailto:david@can-adapt.com%3e> wrote: >> If the suggested minimal activity were possible and there was some way of > alerting the user to the time passing, that would be a better solution than > not being able to complete the task, as long as the security experts are > happy. > > In the scenario I'm interested in, the session says open while the user is > active in the program. It would only time out if they didn't interact with > the page for 15 minutes. So the clock is not counting down while they are > interacting with the site, only when they are not interacting with it. > > Cheers, > David MacDonald > > > > *Can**Adapt* *Solutions Inc.* > Tel: 613.235.4902<tel:(613)%20235-4902> > > LinkedIn > <http://www.linkedin.com/in/davidmacdonald100><http://www.linkedin.com/in/davidmacdonald100%3e> > > twitter.com/davidmacd<http://twitter.com/davidmacd> > > GitHub <https://github.com/DavidMacDonald><https://github.com/DavidMacDonald%3e> > > www.Can-Adapt.com<http://www.Can-Adapt.com> <http://www.can-adapt.com/><http://www.can-adapt.com/%3e> > > > > * Adapting the web to all users* > * Including those with disabilities* > > If you are not the intended recipient, please review our privacy policy > <http://www.davidmacd.com/disclaimer.html><http://www.davidmacd.com/disclaimer.html%3e> > > On Thu, Feb 9, 2017 at 10:18 AM, EA Draffan <ead@ecs.soton.ac.uk><mailto:ead@ecs.soton.ac.uk%3e> wrote: > >> If the suggested minimal activity were possible and there was some way of >> alerting the user to the time passing, that would be a better solution >> than >> not being able to complete the task, as long as the security experts are >> happy. >> >> Best wishes >> E.A. >> >> Mrs E.A. Draffan >> WAIS, ECS , University of Southampton >> Mobile +44 (0)7976 289103<tel:+44%207976%20289103> >> http://access.ecs.soton.ac.uk<http://access.ecs.soton.ac.uk/><http://access.ecs.soton.ac.uk/%3e> >> UK AAATE rep http://www.aaate.net/ >> >> >> ________________________________ >> From: David MacDonald [david@can-adapt.com<mailto:david@can-adapt.com>] >> Sent: 09 February 2017 14:53 >> To: WCAG; Jonathan Avila; Alastair Campbell; Glenda Sims; Gregg C >> Vanderheiden >> Subject: Timing Adjustable: does it apply to timeout from inactivity (no >> mouse, keyboard activity) >> >> I've been asked to comment on the newly proposed "timed events" SC. (1) >> >> What are other evaluators doing with time outs from inactivity? I've >> been >> recommending a warning before 20 seconds before the time out "Do you need >> more time" with "yes/no" buttons. >> >> But if the session stays open as long as the user is active, one might >> argue that the user extended the time limit simply by clicking, >> scrolling, >> typing ... if they did *nothing* it would time out in 15 minutes, but by >> using the mouse/keyboard at least every 14:59, they could stay in their >> account for up to 150 minutes. >> >> It's a significant question, because if that is the case then I'd say >> there is more flexibility with COGA's requests, which would deal with a >> *truly* timed events rather than a simple inactivity logout. Security >> people worry about an abandoned computer left open to others to exploit >> and >> don't like extending inactivity logouts. >> >> Thoughts? >> >> ========== >> >> (1) https://github.com/w3c/wcag21/issues/14 >> >> >> Cheers, >> David MacDonald >> >> >> >> CanAdapt Solutions Inc. >> >> Tel: 613.235.4902<tel:(613)%20235-4902> >> >> LinkedIn >> <http://www.linkedin.com/in/davidmacdonald100><http://www.linkedin.com/in/davidmacdonald100%3e> >> >> twitter.com/davidmacd<http://twitter.com/davidmacd><http://twitter.com/davidmacd><http://twitter.com/davidmacd%3e> >> >> GitHub<https://github.com/DavidMacDonald><https://github.com/DavidMacDonald%3e> >> >> www.Can-Adapt.com<http://www.Can-Adapt.com><http://www.can-adapt.com/><http://www.can-adapt.com/%3e> >> >> >> >> Adapting the web to all users >> >> Including those with disabilities >> >> If you are not the intended recipient, please review our privacy policy< >> http://www.davidmacd.com/disclaimer.html><http://www.davidmacd.com/disclaimer.html%3e> >> > ________________________________
Received on Thursday, 9 February 2017 22:32:55 UTC