W3C home > Mailing lists > Public > w3c-wai-gl@w3.org > April to June 2018

RE: Issue 948 SC 1.3.5 Identify Input Purpose - autocomplete technique VS Privacy/Security

From: Alastair Campbell <acampbell@nomensa.com>
Date: Tue, 5 Jun 2018 21:30:05 +0000
To: David MacDonald <david100@sympatico.ca>
CC: John Foliot <john.foliot@deque.com>, lisa.seeman <lisa.seeman@zoho.com>, WCAG <w3c-wai-gl@w3.org>
Message-ID: <AM5PR0902MB2002B0D3B06D94E6E96A2010B9660@AM5PR0902MB2002.eurprd09.prod.outlook.com>
Hi David,

The technique used doesn’t really matter: The issue raise is a shared device, so if it works it doesn’t matter how it works. Someone else coming to the same device (assuming the same login & profile etc) would have access to that data.

There is a lot more detail in the github thread, but I don’t think it’s a problem WCAG can (or should) solve, and the benefit out-weighs a (possible) downside.



From: David MacDonald

I'm wondering if we can provide a second set of techniques where using the programmatically determinable accname (<label for>, aria-label etc.) for common fields including:

- First Name
- Last Name
- Middle Name
- Address
- Phone Number
- etc...

 AT should be able to identify these common fields if they are labelled om a way that makes its purpose obvious.

See this Twitter thread.

David MacDonald

CanAdapt Solutions Inc.

Tel:  613.235.4902





  Adapting the web to all users
            Including those with disabilities

If you are not the intended recipient, please review our privacy policy<http://www.davidmacd.com/disclaimer.html>

On Tue, Jun 5, 2018 at 4:16 PM, Alastair Campbell <acampbell@nomensa.com<mailto:acampbell@nomensa.com>> wrote:
Hi everyone (and particularly John & Lisa),

I’d like to run a proposed response past the group before posting to github (and notifying the commenter before the group gets a chance to review).


I’d summarise the core issue as: using autocomplete/autofill could be an issue for privacy/security for people using shared devices (e.g. family computer), and autcomplete shouldn’t be proposed as a technique to fulfil it.

You can read the back and forth on the thread, but I’m proposing the response is:

The working group have considered the security and privacy aspects of this, and whilst it must be acknowledged there may be some circumstances in which a user would not want fields identified and auto-filled, the working group feel the benefits outweigh the risks.

Mitigating factors include:

- This is functionality that is already available in user-agents, and used by some websites already.
- It is something that must be enabled within the user-account and browser of the device used.
- People can use various privacy features if that is a requirement.

Currently the autocomplete attribute (for autofill) is the best supported method, so that will be the first technique provided.

Personally, I don’t see it as an issue, but I’d appreciate a review from others familiar with autocomplete.

Kind regards,


Received on Tuesday, 5 June 2018 21:30:34 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 21:08:26 UTC