16:24:20 RRSAgent has joined #aria 16:24:20 logging to http://www.w3.org/2016/03/31-aria-irc 16:24:22 RRSAgent, make logs world 16:24:22 Zakim has joined #aria 16:24:24 Zakim, this will be 16:24:24 I don't understand 'this will be', trackbot 16:24:25 Meeting: Accessible Rich Internet Applications Working Group Teleconference 16:24:25 Date: 31 March 2016 16:24:28 chair: Rich 16:24:35 RRSAgent, make log public 16:26:49 present+ Michiel_Bijl 16:28:16 mck has joined #aria 16:28:18 present+ Joanmarie_Diggs 16:28:56 https://lists.w3.org/Archives/Public/public-aria/2016Mar/0218.html 16:29:04 fesch has joined #aria 16:29:12 present+ Rich_Schwerdtfeger 16:30:13 present+ fesch 16:31:45 present+ Janina 16:32:44 present+ matt_king 16:34:24 cyns has joined #aria 16:36:27 https://lists.w3.org/Archives/Public/public-aria/2016Mar/0218.html 16:36:54 scribe: fesch 16:37:07 Topic: CSUN roundtable discussion 16:37:13 jongund has joined #aria 16:37:17 jemma has joined #aria 16:37:18 s/discussion// 16:38:01 js: refreshable Braille display for $500 announced at CSUN! Bluetooth... 16:38:01 can someone copy webx meeting url? 16:38:08 clown has joined #aria 16:38:36 s/roundtable/round the table/ 16:38:59 js: quality of dots are great... 16:39:18 present+ Joseph_Scheuhammer 16:39:23 what is the URL fro webex? 16:40:50 what is the webex room number? 16:40:54 jamesn has joined #aria 16:41:03 yeah. it asks Enter the meeting number to join. 16:41:05 rrsagent, make minutes 16:41:05 I have made the request to generate http://www.w3.org/2016/03/31-aria-minutes.html jamesn 16:41:14 Topic: CFC for Password Role 16:41:26 or host room id 16:41:46 rs: folks are making custom widgets that take passwords 16:42:00 can't seem to join webex 16:42:12 mk: AT are capable of echoing keys, not all users choose to echo keys 16:42:45 mk: most screen readers may have key echo on by default - new users may not know how to turn it off 16:43:04 present + JaEunJemmaKu 16:43:43 rs: if echoing characters, with a input / password some AT say * instead of echoing keys... but text may be visible and they won't be aware 16:43:46 q+ To make slight clarification about "require" 16:43:57 q+ to ask how to get the rendered characters. 16:44:02 rs: Joanie Diggs has a solution... describes.... 16:44:38 rs: talking with AT vendors... one vendor doesn't have a problem with a MUST being added to the spec 16:44:40 q+ 16:44:47 q+ to ask about AT MUST, with precedent and what happens if not all covered 16:44:49 q= 16:44:53 q+ 16:45:09 mc: can't be sure that password is hidden on the screen 16:45:30 q? 16:45:37 ack joanie 16:45:37 joanie, you wanted to make slight clarification about "require" 16:45:39 s /mc/mb/ 16:46:41 q+ to ask do we have consensus of the issue that authors will create non-password passwords? 16:46:46 jd: even if we don't create a password role, there are already things that can toggle whether keys are displayed or not, screen readers need to ... 16:46:47 q+ To note that you need to be able to have some kind of echo in mobile 16:47:03 q+ to say seems to me most important that users know it´s a password; they can take local security steps if they feel the need 16:47:20 q? 16:47:21 q+ 16:47:28 ack clown 16:47:28 clown, you wanted to ask how to get the rendered characters. 16:47:45 jd: we should go to each AT vendor and see what they do, if they are only showing stars then we need to convince them what is wrong 16:48:09 q? 16:48:10 jd: an AT gets it from the accessible text API 16:48:35 jd: when we get, we always get the rendered text 16:48:53 js: Can you point to a password, in the wild? 16:49:01 rs: came from Cyns... 16:49:18 s/when we get/for all elements, when ATs get the text/ 16:49:47 cyns: came from James Nurthen... my security people say adding a password role does not increase risk because of physical presence 16:50:07 q? 16:50:21 cyns: only possibility is an over the shoulder attack which requires physical presence 16:50:23 bgaraventa1979 has joined #aria 16:50:29 ack jamesn 16:50:50 bgaraventa1979 has joined #aria 16:51:14 present+ Bryan_Garaventa 16:51:44 jn: I haven't seen one, but asked my security team - they said that folks want to avoid password managers and the way to work around that - they do not use a password field, because they want to suppress autocomplete on password fields 16:52:08 q? 16:52:09 js: firefox doesn't support autocomplete in passwords, 16:52:24 jn: but you can't stop password managers 16:52:57 s/support autocomplete in passwords/support autocomplete in input type=password/ 16:53:02 q? 16:53:02 ack me 16:53:03 MichaelC, you wanted to ask about AT MUST, with precedent and what happens if not all covered and to ask do we have consensus of the issue that authors will create non-password 16:53:03 ... passwords? and to say seems to me most important that users know it´s a password; they can take local security steps if they feel the need 16:53:07 ack MichaelC 16:53:07 jn: think attacking screen reader users, is a red herring 16:53:42 mc: discussion predicates that people don't use a input password field 16:54:02 mc: if authors don't use something else, then it isn't needed 16:54:16 q? 16:54:38 mc: what about the MUST in the spec, one vendor agrees, but we need more input 16:55:12 mc: looking through all the options, the best thing is letting the user know it is a password, so even if there isn't tool support then they are more vunerable 16:55:29 q? 16:55:36 mc: an authoring practice - put password in you label could help as well 16:55:55 cs: I raised this, it seems like a hole in a spec 16:55:55 q+ 16:56:15 cs: in my experience developers will make anything... 16:56:41 cs: my security folks said adding password role would not increase a security risk 16:56:52 q? 16:56:56 ack cyns 16:57:23 js: wanted to make sure we consider mobile - where you have to hear the keys you are using 16:57:45 ack janina 16:57:45 janina, you wanted to note that you need to be able to have some kind of echo in mobile 16:57:57 ack mck 16:58:02 js: if someone is standing over your shoulder, then you have to have a solution... I lowered the volume... to do that 16:58:23 q? 16:58:30 mk: I am wary of doing an AT MUST path, no problem with an AT SHOULD 16:58:54 q+ 16:59:01 q+ to say I'd like to see AT MUST as a general thing, but as an intentional decision, not by backing into it 16:59:18 I am too (which is the summary of my earlier comment which Fred asked me to minute) 16:59:42 mk: also rare when an AT user is unaware that they are typing in a password, so the user can already take action (mute echo...) to protect themselves 17:00:12 mk: so we are designing for the AT not the user... that is the primary purpose... not anything for the end user 17:01:07 mk: if you do input type=password does the value have the password value in clear text? Would that impact the AT ability to obscure the text? 17:01:54 js: I made a similar statement about the value in the password field is plain text. 17:02:03 q? 17:02:04 jd: no 17:02:23 jd: the rendered text is what you get in the AT 17:02:49 mc: in the accessibility API you don't get the plain text 17:02:55 ack MichielBijl 17:03:01 s/mc/mb/ 17:03:03 ack me 17:03:21 mb: I don't think we really need the role 17:03:41 cs: that is the point, HTML has it and ARIA doesn't have it 17:04:04 rs: password is not in SVG... 17:04:41 ack R 17:04:44 rs: in ARIA 1.1 we are trying to align with HTML and SVG, and someone is making passwords right now 17:04:59 q? 17:05:05 rs: I don't mind a SHOULD rather than a MUST but we should talk with AT vendors... 17:05:07 ack MichielBijl 17:05:15 q+ to wonder if security issues are indeed a special case we might consider globally 17:05:25 ack c 17:05:25 cyns, you wanted to say I'd like to see AT MUST as a general thing, but as an intentional decision, not by backing into it 17:05:35 cs: I think AT MUST is a good thing, but we need to make sure it is attentional --- all specs should be a MUST 17:05:36 +1 To talk to the AT vendors, because it's a bug if they fail to do this in any password input (it has nothing to do with this role). 17:05:40 rs: OHHH 17:05:47 q? 17:05:51 ack MichaelC 17:05:51 MichaelC, you wanted to wonder if security issues are indeed a special case we might consider globally 17:06:16 q+ 17:06:21 mc: I wonder if security issues are a reason to have an exception to our normal rules 17:06:45 q+ To say this may be the AT must exception that proves the rule, but discuss with vendors before finalizing 17:06:54 mc: I don't know if there are other ARIA roles that impact security... they might be subject to with a MUST 17:07:24 rs: AT vendors did not want to be dictated to, they want to be able to innovate 17:07:58 q+ To say that mappings should automatically cause ATs to do whatever they do with other password inputs (like input type="password"). 17:08:12 rs: had problems with MUST with first user agent guidelines.... I appreciate they want to innovate, more willing to do MUST for security 17:08:12 sam has joined #aria 17:08:21 ack mck 17:08:33 cs: plenty of vendors would prefer not to have standards, doesn't make it right 17:08:36 sam_ has joined #aria 17:09:42 q- 17:09:47 mk: I would argue that there is not necessarily a security issue if they don't do anything, there may be convenience thing ... other ways to mitigate risk - head phones... 17:09:59 mk: I don't think there is a clear risk 17:09:59 q? 17:10:02 ack joanie 17:10:02 joanie, you wanted to say that mappings should automatically cause ATs to do whatever they do with other password inputs (like input type="password"). 17:10:05 ack me 17:10:47 jd: should have it do same thing it does for input type=password.... 17:11:02 q+ to say that we don't expose the value of password input in UIA but do for text input 17:11:04 mk: good point, if they already do something, then they are good to go 17:11:24 rs: that is if they use input password 17:11:37 q? 17:11:44 ack cyns 17:11:44 cyns, you wanted to say that we don't expose the value of password input in UIA but do for text input 17:11:48 mc: we are asking them to map the password role to whatever they do for input type password 17:12:09 q? 17:12:19 cs: for UIA, we don't expose text for input password for text we do.... 17:12:25 q+ to draft a consensus expression 17:12:53 mk: I hear consensus on a AT SHOULD rather than a MUST 17:13:05 q+ to suggest that authors MUST obscure the text for a custom password ? 17:13:21 mk: we understand the risks Leonie raised... 17:13:50 +1 17:13:53 +1 17:13:59 q? 17:14:03 ack me 17:14:03 MichaelC, you wanted to draft a consensus expression 17:14:03 rs: do people have an object to Joanie to modifying her branch and putting it out for consensus? 17:14:17 mc: I agree with that and Matt summarized it ... 17:14:27 q? 17:14:57 q+ to respond on author must 17:15:32 ack c 17:15:32 clown, you wanted to suggest that authors MUST obscure the text for a custom password ? 17:15:35 js: do we want to include that authors MUST obscure the text on a custom password field , unless there is a checkbox saying show in plain text 17:15:52 rs: I don't know if we can do that, can't test for that 17:16:01 q? 17:16:06 rs: could have a authors SHOULD.... 17:16:41 mk: the thing we should do is have AT's echo what is visible on the screen... 17:16:48 https://rawgit.com/w3c/aria/password-role/aria/aria.html#password 17:17:08 q- 17:17:13 mk: it's fine as long as AT user is aware the password is/isn't obscurred 17:17:28 q? 17:17:34 rs: Joanie OK with the changes? 17:17:47 jd: should not allow on input type text 17:18:08 jd: how would someone obscure it? 17:18:18 js: you have a script ... 17:18:28 q? 17:18:59 mc: would be hard to have a requirement in ARIA spec, have to go into HTML spec... 17:19:20 rs: each element in HTML 5.1 can restrict roles... 17:19:24 q? 17:19:37 mc: that would have to be taken to the HTML group 17:20:06 jd: only changes are about AT relaying the visible text 17:20:29 https://rawgit.com/w3c/aria/master/html-aam/html-aam.html#el-input-password 17:20:53 mc: part of the discussion is to have it map to the same way input type password works - has that been done? 17:20:56 js: yes 17:21:52 RESOLUTION: Password role brings value even if not fully supported, UAs should map same as they map input type=password, want AT SHOULD but not MUST to enhance 17:24:02 rs: want to address ARIA key shortcuts... but being able to predict and warn the author where it produces a new single key is enormous and a giant rat hole ... 17:24:32 q? 17:24:33 rs: authors need to test with different keyboards... 17:25:10 mk: if you come up with wording that satisfies what folks have been raising... 17:25:30 rs: right now keyset is not global.... it should be global 17:25:52 rs: trying to do it in a single attribute could be a mess 17:26:06 mk: drafted wording already... 17:26:29 q+ 17:26:58 Topic: ARIA key shortcuts (already ongoing) 17:27:50 mk: if the key shortcut is for the submit buttons... but if it is a landmark region that can't be activated, then the user will realize that focus will just be moved there 17:28:00 q? 17:28:24 mk: AT doesn't know the difference between the two scenarios - change focus vs activate 17:28:42 mk: all shortcuts do is document what is happening 17:29:42 +1 17:29:51 mk: key shortcuts is only communicating information - not providing support (onclick) - only purpose to provide information - doesn't add in functionality 17:30:23 note that the Access element that Rich proposed years ago had a way of indicating whether the shortcut should change focus or change focus AND activate. 17:30:46 mk: when you go into software today, and you hear a keyboard shortcut - they only thing the AT does is make an announcement 17:31:11 mk: screen reader may have a hot key - it doesn't tell you what the keyboard shortcut does - 17:31:51 q+ to ask whether focus vs. activate might be role-specific? for example, buttons invoke and an edits focus? 17:31:56 rs: you have user interface conventions, on the web we don't have consistent conventions for keys... 17:32:36 mk: purpose only for providing information - no plans for the property to tell the AT what the response to the key is 17:32:48 rs: what if you want an activate and a focus? 17:32:58 mk: not possible with what is proposed 17:33:08 mk: would be odd and silly 17:33:12 rs: why? 17:33:28 rs: why isn't what Chaals proposed enough? 17:33:55 jn: those are proposed - this documents what we have done in JavaScript 17:34:17 rs: neither of you have convinced me... 17:35:00 mk: it isn't necessary or useful for the key shortcut to announce the availability of the key 17:35:10 rs: I want to know... 17:35:31 q? 17:35:45 mk: you can't tell authors to only use it where it activates it and not when gives it focus 17:35:59 ack Rich 17:36:15 mk: you would have to have two properties.... can get the equivalent to what we have on the desktop 17:36:26 cs: is that a problem on the desktop? 17:36:31 q? 17:36:47 mk: gives a checkbox example.... 17:36:58 q? 17:37:11 cs: is your expectation based on the control? 17:37:28 cs: is that expected by the user? 17:37:45 mk: I think users have to learn by experience... 17:39:04 jg: providing folks about keyboard interaction is important and being able to do that through ARIA is useful, the rest should be in the HTML 5 spec 17:39:34 rs: will try to make it a global property and let everyone chew on it for a week... 17:40:14 q+ to get on queue for the text role discussion 17:40:15 https://www.w3.org/WAI/ARIA/track/actions/2023 17:40:18 Topic: Text Role 17:40:25 action-2023 17:40:25 action-2023 -- Joseph Scheuhammer to Write a proposal about how to modify the definition of role text to limit its use. -- due 2016-02-23 -- OPEN 17:40:25 http://www.w3.org/WAI/ARIA/track/actions/2023 17:41:30 mk: unclear about the need for the role - can improve the support for image role - main concern it hides images from authors - several screen reader users agree 17:42:01 mk: if a screen reader wanted to recognize special images embedded in text, they could do that 17:42:10 q+ 17:42:23 ack cyns 17:42:23 cyns, you wanted to ask whether focus vs. activate might be role-specific? for example, buttons invoke and an edits focus? 17:42:25 mk: don't want to remove that functionality 17:42:33 ack me 17:42:33 ack jamesn 17:42:34 jamesn, you wanted to get on queue for the text role discussion 17:42:44 jn: I see the image thing where it shouldn't be used 17:43:33 jn: I have seen multiple ways of doing things... there are places where it should not be used... like the rest of ARIA could be used to make things better 17:44:32 jn: a button next to a bunch of text, there is a bunch of links.... we don't make the links focus able.... allowing something that someone can simplify it might be better 17:45:02 mk: wondering if using role=presentation and .... describes alternative.... 17:45:27 jn: another example when people want to put a price... and folks want to read that as a single text string 17:45:50 q+ to ask if this is urgently needed and has to be in 1.1? It seems like risk outweighs benefit 17:46:40 ack me 17:47:26 fe: can make a path element that looks like text 17:47:29 this is from the adobe web site 17:47:30

^$9⁹⁹/mo

17:48:12 mk: maybe we should make it an attribute and limit it to certain elements 17:48:31 rs: there was pushback to limiting it to the img element 17:48:37

★★★☆☆︎

17:48:57 q? 17:49:22 cs: how urgently do we need it? can it wait for ARIA 2? 17:49:58 issue-435 17:49:58 issue-435 -- Consider role="text" to expose elements (and contents) as static text node -- closed 17:49:58 http://www.w3.org/WAI/ARIA/track/issues/435 17:50:08 mk: the big thing is the use case for SVG.. is the accessible interface... is a different kind of use case 17:50:34 mk: that is a bigger issue 17:50:36 Email from Steve F: https://lists.w3.org/Archives/Public/wai-xtech/2011Apr/0007.html 17:50:43 +1 17:50:48 rs: are people willing to move it to ARIA 2. 17:51:01 +1 for moving text role to aria 2 17:51:07 +1 moving to ARIA 2 17:51:10 +1 17:51:19 +1 17:51:32 +1 17:51:33 jn: if we do it, lets do it right 17:51:47 +1 for ARIA2 17:53:29 Proposed Resolution: Move role=“text” to ARIA 2 as issues such as implementing textpatterns (API work) should accompany this including for the SVG host language 17:54:16 cyns: maybe add we cant do this well in 1.1 17:54:47 Proposed Resolution: Move role=“text” to ARIA 2 as the group does not believe it can address the issues well in the ARIA 1.1 time frame. 17:55:25 RESOLUTION: Move role=“text” to ARIA 2 as the group does not believe it can address the issues well in the ARIA 1.1 time frame. 17:56:10 rss, make minutes 17:56:17 rrs, make minutes 17:56:27 RRSAgent, make minutes 17:56:27 I have made the request to generate http://www.w3.org/2016/03/31-aria-minutes.html Rich 17:57:11 clown has joined #aria 18:15:47 RRSAgent, stop