Web Security comments from Jim Allan on 2009-03-25 (w3c-wai-ua@w3.org from January to March 2009)

From: Jim Allan <jimallan@tsbvi.edu>
Date: Wed, 25 Mar 2009 13:38:00 -0500
To: <w3c-wai-ua@w3.org>
Message-ID: <02e701c9ad78$dadb3690$9091a3b0$@edu>
I reviewed http://www.w3.org/TR/2009/WD-wsc-ui-20090226/ 
I have not sent in formal comments to them. Deadline was 19 March. No time
before/during CSUN

There were a definitions and concepts I thought UAWG could use from this
document.

They use the same definition as WCAG but add the following explanations:

" the "Web user agent" may denote a combination of several applications,
extensions to such applications, operating system features, and assistive
technologies.

A common web user agent will therefore be a web browser with some number of
plug-ins, extensions, call outs to external systems which render particular
document formats, and assistive technologies."

We may be able to use or incorporate the concepts or words to make our
document better. 

The following text is taken directly from the document 4.2 Terms and
Definitions [http://www.w3.org/TR/2009/WD-wsc-ui-20090226/#definitions] 

[Definition: Primary User Interface -   denotes the portions of a Web user
agent's user interface that are available to users without being solicited
by a user interaction.]

Examples of primary user interface include the location bar in common Web
user agents, the "padlock" icon present in common Web user agents, or error
pages that take the place of a Web page that could not be retrieved.

[Definition: Secondary User Interface - denotes the portions of a Web user
agent's user interface that are available to the user after they are
solicited by a specific user interaction.]

Examples of secondary user interface include the "Page Information" dialogue
commonly found in Web user agents, and the "Security Properties" dialogue
that can obtained by clicking the padlock icon in common Web user agents.

[Definition: Location Bar is a widget in a Web user agent's user interface
which displays (and often allows input of) the textual location (entered as
a URL) of the resource being requested (or displayed - after the response is
received).]

------------------------------------------

Also useful what the discussion of 3.1 Product classes
http://www.w3.org/TR/2009/WD-wsc-ui-20090226/#conformance-products 

This specification addresses Web user agents as a product class.

This specification also addresses products that might incorporate changes to
a web user agents, such as plug-ins, extensions, and others; they are
summarily called [Definition: plug-ins] in this section.

Such products that might incorporate changes to the web user agent, e.g.
through the addition or removal of features, can render an otherwise
conforming web user agent non conforming, or vice versa.
------------------------

WSC has several levels of warning(caution, dangerous) 
6.4.2 Warning/Caution Messages
http://www.w3.org/TR/2009/WD-wsc-ui-20090226/#error-warning
And 
6.4.3 Danger Messages
http://www.w3.org/TR/2009/WD-wsc-ui-20090226/#error-danger

Does UAAG need success criteria for this? 
how should a UA communicate these warnings to the user? 
How does a UA communicate the info now?

The goal should be: when UA presents information, that information must meet
platform accessibility standards or WCAG standards depending on how the UA
presents the information. We want dialogs, alerts, warnings to be accessible
and distinguishable in a multimodal manner (visually and auditorially - some
sound is played). The security group also mentions temporal...disabling the
OK button for a number of seconds to make sure the user can't dismiss a
danger message out of hand by immediately hitting enter when the dialog pops
up.

Also of concern is 
!! 7.3 Managing User Attention
http://www.w3.org/TR/2009/WD-wsc-ui-20090226/#interaction-flooding
 "when users interact with security relevant notifications interactions
caused by web content MUST NOT be granted control of the user agents
interaction."
 
Does this mean java script should not be allowed to click an OK button in a
dialog? 
Does the UA not allow javascript to interact in this fashion now? 
How does the UA know that an alert is a security notification?
Does UAAG need success criteria for this? At first I thought yes...then on
reflection...no...it is covered in WSC. We should focus on accessibility.

I propose that the UAWG add a dependency on this document. 

===============================
Comments to WSC
WSC: User Interface should reference UAAG20

6.1.1 Identity Signal
http://www.w3.org/TR/2009/WD-wsc-ui-20090226/#identity-requirement 

The display of security information (e.g. AA indicator (5.3), Identity
signals (6.1.1) must conform to UAAG - name, role, and state must be
available programmatically, must be easily discoverable by the user, and
have a keybinding in the UI so the user can navigate to the information.
This information appears in the UA UI, and is or should be under the control
of the user agent - not the author. 

In 6.1.2 Identity Signal Content
http://www.w3.org/TR/2009/WD-wsc-ui-20090226/#signal-content 
what is "human-readable information"? Is it text? If it is an image, it must
have name, role, state, label (expanded information related to role)

Any thoughts.

Jim
Received on Wednesday, 25 March 2009 18:40:38 UTC