From 7620ce80c20d8db618fbfbb92087a1603854b279 Mon Sep 17 00:00:00 2001
From: pes10k <76526+pes10k@users.noreply.github.com>
Date: Wed, 17 Jul 2024 13:34:45 -0700
Subject: [PATCH] first draft of accessibility device section (#158)

* first draft of accessibility device section, fixes #w3ctag/security-questionnaire#157

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

* Update index.bs

Co-authored-by: Theresa O'Connor <hober@apple.com>

---------

Co-authored-by: Theresa O'Connor <hober@apple.com>
---
 index.bs               | 46 ++++++++++++++++++++++++++++++++++++++++++
 questionnaire.markdown |  3 ++-
 2 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/index.bs b/index.bs
index 5ce2a4f..4e54151 100644
--- a/index.bs
+++ b/index.bs
@@ -810,6 +810,52 @@ You may follow the guidelines for <a href="bfcache">BFCache</a> mentioned above,
 as we expect BFCached and detached documents to be treated the same way,
 with the only difference being that BFCached documents can become [=Document/fully active=] again.
 
+<h3 class=question id="accessibility-devices">
+  Does your feature allow sites to learn about the users use of assistive technology?
+</h3>
+The Web is designed to work for everyone, and Web standards should be designed
+for people using assistive technology (<abbr title="assistive technology">AT</abbr>) just as much as for users relying
+on mice, keyboards, and touch screens. Accessibility and universal access
+are core to the W3C's mission.
+
+Specification authors though should keep in mind that Web users that rely on
+assistive technology face some unique risks when using the Web.
+The use of assistive technologies may cause those Web users to stand
+out among other Web users, increasing the risk of unwanted reidentification
+and privacy harm. Similarly, some Web site operators may try to
+discriminate against Web users who rely on assistive technology.
+
+Feature designers and <abbr title=specification>spec</abbr> authors should therefore be thoughtful and
+careful to limit if, and what, websites can learn about the use of assistive
+technologies. <abbr>Spec</abbr> authors must minimize both what information about
+assistive technology use their features reveal, both explicitly
+and implicitly. Examples of <em>explicit</em> information about assistive technology
+include device identifiers or model names. Examples of <em>implicit</em>
+information about the use of assistive technology might include
+user interaction patterns that are unlikely to be generated by a
+mouse, keyboard, or touch screen.
+
+<p class=example>
+The [[wai-aria-1.3]] defines additional markup authors can use to make
+their pages easier to navigate with assistive technology. The <abbr>spec</abbr>
+includes the [`aria-hidden`](https://w3c.github.io/aria/#aria-hidden)
+attribute, that site authors can use to indicate that certain content
+should be hidden from assistive technology.
+
+A malicious site author might
+abuse the `aria-hidden` attribute to learn if a user is using assistive
+technology, possibly by revealing certain page content to assistive technology,
+while showing very different page content to other users. A malicious
+site author could then possibly infer from the user's behavior which
+content the user was interacting with, and so whether assistive technology
+was being used.
+</p>
+
+
+
+
+
+
 <h3 class=question id="missing-questions">
   What should this questionnaire have asked?
 </h3>
diff --git a/questionnaire.markdown b/questionnaire.markdown
index df56be7..bdabb5e 100644
--- a/questionnaire.markdown
+++ b/questionnaire.markdown
@@ -38,4 +38,5 @@ For your convenience, a copy of the questionnaire's questions is quoted here in
 >      (instead of getting destroyed) after navigation, and potentially gets reused
 >      on future navigations back to the document?
 > 18.  What happens when a document that uses your feature gets disconnected?
-> 19.  What should this questionnaire have asked?
+> 19.  Does your feature allow sites to learn about the users use of accessibility devices?
+> 20.  What should this questionnaire have asked?