Friendly public service announcement: If you store, process or transmit credit card data, you are responsible for ensuring that you are PCI compliant. Use a third-party payment processor and transmit your data securely if you don’t want end-to-end responsibility. Thank you.
I have come to the conclusion that Matt is not going to take accessibility seriously until it affects him personally, and this is incredibly sad. Accessibility should not be the domain of those who are part of the disabled list, or those whose loved ones are part of it.
Maybe privacy and accessibility work would be valued by employers in the WordPress space if @photomatt would do his Goddamn job and advocate for them. Walking is very painful now but I have zero problem inching across that convention center tomorrow to say that to his face. #WCUS
I will respond to Matt’s call to learn blocks deeply when Mat learns accessibility deeply. Accessibility is not a nice-to-have, or an afterthought, or a feature, and I will not promote a thing I know full well not everyone can use, no matter how great the UX is for some. #WCUS

Notes from: “Who’s Afraid Of ARIA?” at WordCamp US 2018

Rian Rietveld @ #WCUS:

Rian is demonstrating Voiceover and ARIA for the WordCamp audience.

She’s giving a very practical example of why semantics matter when it comes to the web.

Aria-live: Tells screen readers what’s changing on a page without refreshing the page.

aria-live allows dynamic changes to be announced by screen readers.

From earlier in the talk: First rule of ARIA: Don’t use ARIA. Use a native HTML 5 element first, then add ARIA *when necessary*.

Make sure when using aria-live that your announcement is not too verbose: For example: announce the number of search results, not every search result.

Overrule a link’s anchor text with aria-label. Beware: aria-label overrules a link’s anchor text completely. For screen reader users it’s as if the link text does not exist.

screen reader text class: Hide something from sighted users while announcing it to screen reader users.

Use screen reader text class with the span element.

Aria-describedby and aria-labeledby: aria-labeledby replaces label text, (see form elements), aria-describedby adds extra information to the label text.

Rian is able to turn VoiceOver on and off. This would never happen using Jaws. You can do it with NVDA though. Sorry, couldn’t resist.

Make it work before you make it nice.

Slides for this talk, code with examples is here, and you can watch “Who’s Afraid of ARIA” with captions here.

Notes From: “Content Security Policies: List Your Trusted Sources And Prevent Attacks” at WordCamp US 2018

Miriam Schwab @ #WCUS:

Why is cryptomining from websites bad? Because it eats resources, plus governments shouldn’t be cryptomining.

Magic Cart: Going on for last three years, no one knows origination, attack ID’s third-party scripts on websites and then hacks scripts.

Magic Cart hacks scripts for the purpose of skimming credit card information.

Content security policies: white-list sources via browser header, if a source is not white-listed, it can’t be installed. Applies to trackers and other third-party web scripts like Google Analytics or Google Fonts.

Demonstrating code snippets which implement content security policies, will share slides later.

Includes log of violations of content security policies. I’m going to love looking at this code.

If you research content security policies online, not a lot of upp-to-date information, CSPs have been around since 2012.

W3C’s docs critiqued as being illegible, especially for those who speak English as a second language. Agree. Internationalization FTW!

Google is “do-as-we-say-not-as-we-do” with regard to its CSP docs V. what it does with its Google Analytics and other scripts.

Keeping up with what’s been added to pages manually is hard. Use Scrict Dynamic CSP instead. One policy across multiple pages.

Google has tools for CSPs: Strict Dynamic Test Bed, not sure of accessibility of tool will need to check later.

CSP can be added using meta tag or in theme’s functions.php file. Also .htaccess. Use these if you don’t want to work with browser headers. Probably can stick this in custom functionality plugin too.

CSP Mitigator from Google: Check http response headers, if no CSP present, will alert. If CSP present but there are problems with it, tool will offer suggestions.

There are also WordPress plugins for this, not recommended because some are out-f-date, but easy way to get started.

report-uri.com: Alternative to CSP Mitigater, useful if you have issues philosophical with Google.

Google’s resources making it possible for more people to implement CSPs.

Now demoing offline copy of White House website: No CSP, which means things can be injected client-side.

For the blind people playing at home, the injection to the Freedom scientific website changing the site tagline to “Too expensive products for the visually impaired” was a result of no content security policy being present on the site. Not from speaker, my own injection of another example.

I just realized I can add code snippets to my posts while writing them using the Code Snippets CPt plugin by @Jtsternberg. BTW the code snippet output is way more accessible and easy to read than Github snippets. I love this plugin so much thank you Justin.
You cannot release a product with significant #a11y issues and call it a quality product. You cannot ignore a11y because it gets in your way and call yourself an advocate. @photomatt can continue to play this wrong all he likes, but that still doesn’t make it jazz.
Following is a transcription of what are apparently official comments from Yoast regarding the slated WordPress 5.0 release on Thursday. I’m providing this transcription for those who are using Twitter clients which do not support alternative text, (essentially the blindness-specific Twitter client), as well as for those on Facebook, Micro.blog and Mastodon. The quote reads:

We vehemently disagree with the decision to release WordPress 5.0 on December 6th, and think it’s irresponsible and disrespectful towards the community. However, we’re now going to try and support the community as well as possible and we hope to show everyone that Gutenberg is indeed a huge step forward.

Yoast is one of the largest plugin developers in the WordPress space, and they’ve made no bones about their support for accessibility. This tweet, for example, carries alternative text, and Yoast has made it a point to ensure that the user interfaces for their Search Engine Optimization plugin are as accessible as possible given the current WordPress interface. Joost’s comment is probably as professional as it’s going to get on this score, and know, I’m not counting the “everything-is-awesome” type comments that will inevitably be shared by Matt from Gutenberg’s cheering section in the score. There’s been a lot of chaos around Gutenberg and accessibility, and it’s heartening to know that so many in the WordPress space, including some rather large plugin and theme shops, are fighting alongside traditional accessibility advocates. All of you have my sincerest thanks.

For those of you who are reading this in your inbox, the context for this post is the recently-published, (as in yesterday), target release date for WordPress 5.0, which rolls out the new Gutenberg editor. I’d like to say I’m surprised by this, but I’m just not. I find myself asking a few questions: First, I find it very difficult to believe that a piece of software that is being released with known, significant issues, (up to and including significant accessibility issues, and no, that doesn’t just apply to assistive technology users), can be declared stable enough for release. Accessibility problems, just by themselves, are bugs. Well, they are if you claim to consider accessibility a priority. Next, if the plan was to release the Thursday before WordCamp US, (and I have to concur with those who believe it has been), what was the point of all those one-on-one office hours? How is anyone in the WordPress community supposed to believe that Matt is dealing in good faith when he has apparently convinced himself of the superiority of his own definition of quality and stability, and that his cause is so right and so perfect that it’s worth literally sneaking a major release out the door while everyone is traveling to WordCamp US? I am not opposed to the concept of Gutenberg, and I never have been. I know the current editor is not perfect, and that it can be improved. But this whole thing wreaks of fanaticism, arrogance, dishonesty, a complete disregard for any standard definitions of quality control, (there’s no way, absolutely none, that enough time for actual testing, complete with stress cases, could have been performed between RC 2 and RC 3, and that’s not even counting RC 1), a complete disregard for those of us who work with WordPress users outside of what is apparently a hermetically sealed bubble of perfection in which Matt lives, and the day-to-day experience that has informed our comments since day one, along with a healthy dose of hope as a strategy when it comes to Gutenberg. The question and answer session at this weekend’s State of the Word address is going to get interesting, as is the dev chat this Wednesday.
I’m only part of the way through this and I’m already feeling bad because I haven’t sat down and artiulated a bunch of goals for the new year. The only one I have so far is importing my entire Facebook archive into my personal site. I totally feel Brad on the blogging thing though because it’s enjoyable but I think spending all the time on social media kind of drains that. There’s a solution for this though: Indieweb, and blog posts don’t have to be five thousand words long. They can be a single photo or a bookmark or, like this one, a record of listening to a podcast episode. There are already lots of resources for adding various post kinds functionality to WordPress sites, including bookmarklets and apps for your phone. Definitely makes blogging easier.
I can absolutely see a case where users would interact, and and therefore become vulnerable to this exploit: Keyboard-only users, screen reader users, and speech recognition users. So this might be worth looking into, especially if you’re adding a ton of keyboard shortcuts to your app and calling it an accessibility improvement.
This is a good read regarding the event-stream ongoing saga, and I agree with it, but I also have some things to add to it. For those of you who may not be familiar, (non-developers), event-stream was pulled from Node Package Manager, (something that gets used pretty frequently when building software in order to manage dependencies, otherwise known as other code bits you need in order to run/build your code bit), because it relied on another package which was found to have vulnerabilities. It was then handed over to someone else, who promptly added a cryptocurrency iner to it, at which point the internets freaked out. Frankly I don’t completely blame the new maintainer for adding the cryptocurrency miner. There are very large corporations who have no problem using open source software for their benefit, all while not supporting the maintainers. See for example: Apple and Microsoft. And if you can’t be relied on to hit that donate button, well then we’ll just use your processing power because eating habbits need to be supported. I’d like to add to the post I’m linking to though that, while I think code does need to be simpler and thus easier to understand, I also think maybe we need to simplify our build processes. But back to the “understanding” point, reading code is a learned skill, and I think to a certain extent it’s on the users, (and in this case the users are developers), to learn how to read code. As much as I’d like code to be simpler, outside of everyone who writes code taking courses/reading books on best practice and then applying all that, I don’t see this happening.
I’m trying to decide if TMZ counts as accessibility hitting the mainstream or not. Also, someone should let them know that, (while Playboy Magazine has been available as part of the National Library Service for the Blind and Visually Handicapped for decades), in both braille and audio formats, blind people do not read Playboy for the articles. Some blind people are avid consumers of adult entertainment just as some sighted people are. Also, dear Playboy, if Pornhub can figure out how to make their entire site accessible while preserving its nature and content, you can too.
I came across this while reading an article about deleting Facebook even though deleting Facebook is a privilege. I appreciate the note of hope at the end, because I don’t believe simply disengaging from all these problems, (including the secondary ones like how we deal with politics and social issues as a society), is truly an option. Disengaging is not an option in my opinion because these issues are going to effect our lives and the lives of those around us whether we engage or not, and I think it’s better to have at least a slight idea of what’s coming and what’s happening than no idea at all.
Pocket has really nice integration with Firefox but asking me to solve a CAPTCHA every time I log in is very annoying. Time to move my bookmarks from there to my own site. #indieweb
I’m glad to see that WCAG 2.1 is being adopted so quickly. It was released on June 5, 2018, WCAG 2.0 took a while to be adopted as the standard. 2.1 does a lot to address the needs of not only people with disabilities, but also people who are older, (sorry screen reader users, it’s not just about us and it never has been), and I’m pleased to see that we didn’t have to wait two years to see it adopted. I’m also glad the National Federation of the Blind resorted to structured negotiation and not a lawsuit, and would like to see more campaigning in the organization’s ranks for this approach.