B.8 Notes on frames B.9 Notes on accessibility B.10 Notes on security


B.8 Notes on frames

Since there is no guarantee that a frame target name is unique, it is appropriate to describe the current practice in finding a frame given a target name:

  1. If the target name is a reserved word as described in the normative text, apply it as described.
  2. Otherwise, perform a depth-first search of the frame hierarchy in the window that contained the link. Use the first frame whose name is an exact match.
  3. If no such frame was found in (2), apply step 2 to each window, in a front-to-back ordering. Stop as soon as you encounter a frame with exactly the same name.
  4. If no such frame was found in (3), create a new window and assign it the target name.

B.9 Notes on accessibility

The W3C Web Accessibility Initiative ([WAI]) is producing a series of guidelines to improve Web accessibility for people with disabilities. There are three sets of guidelines:

  • Web Content Accessibility Guidelines ([WCGL]), for authors and site managers. Please consult the Web Content Accessibility Guidelines for information about supplying alternative text for images, applets, scripts, etc.
  • User Agent Accessibility Guidelines ([UAGL]), for user agent developers (browsers, multimedia players, assistive technologies). Please consult these guidelines for guidance on handling alternate text.
  • Authoring Tool Accessibility Guidelines ([ATGL]), for authoring tool developers.

B.10 Notes on security

Anchors, embedded images, and all other elements that contain URIs as parameters may cause the URI to be dereferenced in response to user input. In this case, the security issues of [RFC1738], section 6, should be considered. The widely deployed methods for submitting form requests — HTTP and SMTP — provide little assurance of confidentiality. Information providers who request sensitive information via forms — especially with the INPUT element, type=”password” — should be aware and make their users aware of the lack of confidentiality.

B.10.1 Security issues for forms

A user agent should not send any file that the user has not explicitly asked to be sent. Thus, HTML user agents are expected to confirm any default file names that might be suggested by the value attribute of the INPUT element. Hidden controls must not specify files.

This specification does not contain a mechanism for encryption of the data; this should be handled by whatever other mechanisms are in place for secure transmission of data.

Once a file is uploaded, the processing agent should process and store it appropriately.