Large Heydon ColliderI upgraded my Notion Accessibility Tracker to support the new WCAG 2.2 success criteria. If you bought it already, you get all that from the same template location.
It also means I have deleted Parsing 🙌
And in honour of the new Accessible Authentication SC, I've added a solution recommending honeypots over CAPTCHA (CRAPTCHA) https://www.w3.org/TR/WCAG22/#accessible-authentication-minimum
Web Content Accessibility Guidelines (WCAG) 2.2
Web Content Accessibility Guidelines (WCAG) 2.2 covers a wide range of recommendations for making web content more accessible. Following these guidelines will make content more accessible to a wider range of people with disabilities, including accommodations for blindness and low vision, deafness and hearing loss, limited movement, speech disabilities, photosensitivity, and combinations of these, and some accommodation for learning disabilities and cognitive limitations; but will not address every user need for people with these disabilities. These guidelines address accessibility of web content on any kind of device (including desktops, laptops, kiosks, and mobile devices). Following these guidelines will also often make web content more usable to users in general.
Finley Ⓥ@heydon Couldn't you make a bot that would scan aria tags like a screen reader would?
@finley Probably. Why do you ask?
@heydon Just thinking about the problem as a front-end engineer.
I might not be grasping the solution correctly, but I don't understand how you'd hide the form from the user in a way that a nefarious bot wouldn't be able to pick up on as well.
@finley Generally, bots aren't that clever. People who design them no about as much about accessibility and ARIA as any other developer.
@finley (but yeah, it is "security through obscurity")
Vic Golding@finley @heydon I understand how the sheer simplicity of this method can raise doubts, but as Heydon already pointed out, spambots aren't very sophisticated. They're more focused on speed and quantity rather than complex pattern recognition. However, you bring up an interesting point, and it's possible that bots may adapt to recognise honeypot fields in the future. It's a dynamic field (pun intended), so staying one step ahead is an ongoing challenge!
@vicgolding @heydon Oh I like simplicity. It's the simplicity of the workaround that seems problematic.
It would in theory mean bots would just change the selector from `form` to `form[aria-hidden="true"]`.
For small websites it would probably work because lack of accessibility is unfortunately a good bot control strategy. 🙃
At the MassiveBigCo I work for, attackers would probably figure it out pretty quickly. But we're also probably not the target audience for recommendations like this.
@finley @vicgolding Yeah, it can be worked around. Anecdotally, though, I recently worked at a MassiveBigCorp where the CAPTCHA wasn't catching all the spam. I insisted on instating a honeypot like this one and it has been stopping all the spam for months. Nothing works perfectly, but CAPTCHAs are garbage.
@heydon @vicgolding Yeah. I think that last point is something we can all agree on. 😁