- From: lisa.seeman <lisa.seeman@zoho.com>
- Date: Wed, 07 Mar 2018 17:20:47 +0200
- To: "David MacDonald" <david100@sympatico.ca>
- Cc: "Chaals Nevile" <chaals@yandex.ru>, "John Foliot" <john.foliot@deque.com>, "WCAG" <w3c-wai-gl@w3.org>, "Alastair Campbell" <acampbell@nomensa.com>, "stommepoes@stommepoes.nl" <stommepoes@stommepoes.nl>, "Léonie Watson" <tink@tink.uk>
- Message-Id: <162010b1707.1130b94e9108985.6506334497895391270@zoho.com>
Hi David
>From what we saw last time we looked into this issue the concerns about autofil and security were debunked about five years ago. DO you have an updated source for this concern that is reputable and current? (the link below is a 404)
All the best
Lisa Seeman
LinkedIn, Twitter
---- On Wed, 28 Feb 2018 21:50:28 +0200 David MacDonald<david100@sympatico.ca> wrote ---- 
Lisa
I'm interested in your opinion. One of COGA's main concerns was for the security and safety of people with cognitive disabilities online. Currently, 1.3.4 is basically mandating that authors add autofill which appears to have a phishing vulnerability. 
User autofills name and email, and positions inputs offscreen for all kinds of other information which is autofilled... At a recent talk I gave on WCAG 2.1 during questons and answers, two participants independently raised this concern. I had not mentioned security during the talk.
Will this SC help or hurt people with Cognitive disabilities?
Cheers,
David MacDonald
 
CanAdapt Solutions Inc.
Tel:  613.235.4902
LinkedIn 
twitter.com/davidmacd
GitHub
http://www.can-adapt.com/
  
  Adapting the web to all users
            Including those with disabilities
If you are not the intended recipient, please review our privacy policy
 
On Wed, Feb 28, 2018 at 12:43 PM, Chaals Nevile <chaals@yandex.ru> wrote:
On Wed, 28 Feb 2018 18:33:42 +0100, Alastair Campbell
 <acampbell@nomensa.com> wrote:
 
  John wrote:
 
  RE: Horizontal Security Review: I think that the time is *now* (as other specs come to APA for >their accessibility horizontal review at around this same time - i.e. CR or sooner).
  
 Maybe it has been submitted already, but noted, I’ll ask about that.
  
 Not sure where it would have been submitted. You could check with the Security IG, or look in the security considerations section(s) of relevant specs.
 
  I am stunned that the browsers have not addressed this *STILL*.
  
 I’m a bit surprised given the mainstream press on it, and it does put this SC in a difficult position.
  
 I'm sad rather than surprised.
 
  I would be interested to know from Charles or Léonie:
 
 * Is there active work on the issue of phishing user-data via autocomplete? [1]
  
 Not that I know of. It would be very helpful if you filed the relevant issues (since you have a head start on us in understanding the problem, so have more chance to get the framing right first-time.
 
  * Where would a suitable place for that discussion to happen?
  
 https://github.com/w3c/html/issues
 
  It occurs to me a good solution to prevent the phishing would be to add visible (foreground) symbols next to fields which can be autocompleted, a bit like Lastpass adds an icon inside of username/password inputs.
  
 Some browsers do something like this. I am pretty sure it is the case, for example, for Yandex browser.
 
  The browser could ensure
 the symbols are shown even if the inputs were hidden.  If those symbols were user-configurable, that would also help with the personalisation aspects as well (or at least be compatible).
  
  1] the trigger for this discussion was a comment about this article:
 https://www.digitaltrends.com/computing/browser-bug-can-fill-in-personal-information-in-hidden->fields/
 If you fill in an autocomplete field (e.g. name), the site can have visually hidden fields with >email, password, credit card number etc. It can grab that data without the user realising because >it is auto-populated.
  
 That rings a bell, actually. I'll have a search through the HTML issues history...
 
 cheers
 
 -- 
 Using Opera's mail client: http://www.opera.com/mail/
 
 
 
Received on Wednesday, 7 March 2018 15:21:23 UTC