E-mail List Archives

Re: [WebAIM Forum] Hyperlink Accessibility vs. Security


From: Patrick H. Lauke
Date: Sep 28, 2017 3:35PM

On 28/09/2017 21:38, Carly Gerard wrote:
> No worries Angela, I can try to explain better--although that's another good point to consider, the fact that URLs may be malicious in themselves. We know that hyperlinks need to have meaningful text to be accessible to AT, such as in the following example:
> <a href="https://domain.com/link-to-pdf ">Open Example PDF</a>
> In this case, a user would see the hyperlink as "Open Example PDF," and wouldn't see the actual URL. According to the email I received from our tech services, however, it sounds like they've heard to make the URL visible (and not use meaningful hyperlink text) for security purposes. Brief searches online have led me to phishing awareness articles that have also suggested this practice.
> This leads me to wonder how to consider both accessibility and security in this matter, and how I should start that discussion.
> I hope my explanation makes sense, and that maybe there's a reasonable solution.

User agents offer mechanisms to check where a link goes to. In most
browsers, focus a link with the keyboard / hover over it with the mouse,
and you'll see an indication of the URL it goes to in the bottom toolbar
of the browser, for instance.

As it's trivially easy to make a link *appear* to point one place while
actually pointing somewhere else (as Angela said), users should *never*
rely on what they see in clear text (be it human friendly text or an
apparent URL); they should use whatever their user agent offers; lastly,
once they land somewhere, they should always look at their browser's
address bar to confirm they're indeed where they expected to be. The
onus is on the user to do this. You as a site owner/maintainer are
obviously in control of where your links go. And saying that links
should just have their URLs visible will provide nothing but a false
sense of security to users (as, again, the visible text can easily
differ from the actual target of the link).

There is no reasonable solution other than users being aware of where
links go / checking once they got there. Nothing for content authors to do.

Patrick H. Lauke

www.splintered.co.uk | https://github.com/patrickhlauke
http://flickr.com/photos/redux/ | http://redux.deviantart.com
twitter: @patrick_h_lauke | skype: patrick_h_lauke