All geek questions in one place

Do browsers with CSS or JavaScript accessibility support?

I am currently working on a honeypot solution to prevent spam on my site, which consists in adding multiple fields with random names and hiding them with CSS by adding style="display : none;" into an HTML element. When submitting, if any of these fields is not empty, which should mean that the spambot has just submitted the form. This is a malicious user. In any case, the message is rejected.

Now this will work fine, but I assume all users have browsers that support CSS.

Javascript removal Each field with a CSS display attribute of none can prevent non-CSS browsers from displaying presumably hidden fields.

So this will work just fine for browsers that support:

  • both CSS and JavaScript
  • CSS only
  • JavaScript only

My question is, do browsers for blind or any other browser with CSS and JavaScript accessibility support, only CSS, only JavaScript or not?

+6
source share
5 answers

make browsers for the blind or any other accessibility browser

There are no browsers targeted at people with disabilities these days. Previously, there were several projects, but major manufacturers of assistive technologies (AT) came together and got their software, working first with IE, and then with Firefox. You have a chance to use Chrome or Opera with AT, support hits or misses.

CSS and JavaScript support, only CSS, only JavaScript or not?

It really comes down to using JS, CSS, and AT. All in all, AT is great with CSS. There are four areas that can cause problems: color / contrast, display:table , display: none and visibility:hidden . Since the first two are not part of the question, we will skip them. JAWS only declares display:none or visibility:hidden content on <span> . I will not comment too much about JS, but WebAIM has an article providing an overview of JS and accessibility .

is to add multiple fields with random names and hide them with CSS by adding style="display : none;" into an HTML element.

I assume that you are correctly adding <label> to all of your form elements. Please add them to the honey bank fields only if they are read. I would add “ignore this field” to <label> .

Reading:

On-screen readers and display: no

JAWS, Window-Eyes and display: none: Return to 2007

+4
source

Modern shielding devices typically work by “connecting” the text-to-speech interface to regular web browsers (such as Internet Explorer). Thus, they support all the CSS and Javascript that the browser normally supports. display:none excellent kosher.

For other browsers: basic CSS rules, such as display: none , have been supported by every major web browser since the introduction of Netscape 4.something. If someone uses a browser that does not support CSS at all, they will have much more problems than your registration form.

+2
source

Well, I use Lynx when I sometimes feel frustrated in the world and it does not support CSS. What I do in such cases is to write the default value in a hidden field, for example: Please DON'T fill anything into this field

It takes care of any person who cannot see, but stupid bots are still rewriting it. Then I will check my code if the value is different from Please DON'T fill anything into this field and profit!

BTW This hidden field method will not stop a specific attacker in any case, so discuss what happens if an attacker checks the source code of the page. We just want mass bots to be stopped - and bots that can recognize text like this (each developer uses his own words to convey a message) is far from falling into the hands of children, even if they exist. Well, the last part is an assumption.

+2
source

If you do this because of malicious users, it is useless - my opinion. I'm not that bad guy, but it took me one click to turn off the CSS style. Lightweight plugin in a modern browser. Good for web development and maybe for other things. This is like reinventing the wheel to work with random, hidden names in fixed form. Catch 1 working combination (reading F4 source code) and you can use it as many times as you want.

Why not just an extra name be visible and save its name in the session and compare it after sending?

Or add one <input type="hidden" with additional code (a hash or something else) that can only be recognized by your application.

+1
source

Adding to the other answers, I will say that ancillary software like JAWS even supports dynamic changes to the display property (say, showing / hiding a div, pressing a button).

0
source

Source: https://habr.com/ru/post/919953/

More articles:


All Articles