Security considerations #11
Labels
Q1
Internal classification of the proposed quarter to do the work
Comments
This was referenced Apr 5, 2022
This would allow privilege escalation since screen readers usually have more privilege than other apps (e.g. browsers). |
lolaodelola
added
the
Q1
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From the ARIA-AT automation meeting on March 14, 2022: #17 (minutes)
Allowing automation of screen readers is not without security concerns, as it can effectively allow universal XSS in the browser, or even allow any input in the OS and access to things that apps normally don't have access to (e.g. the login screen).
In CI, there are also security risks, but different to a local setup. Some CI systems today disable macOS SIP (System Integrity Protection), which makes it possible to programatically turn on VoiceOver.
Ideas:
cc @cookiecrook @mcking65 @s3ththompson
The text was updated successfully, but these errors were encountered: