Web Development Accessibility

The Problem

At the university, small web development teams, i.e. of one to three people, or new developers, i.e. co-op students, generally don’t have all the frontend and backend knowledge to meet the legal obligations required of the university. It would be useful to have a resource that lists valuable development tools, i.e. validation or testing software and, tutorials. These tools would provide a relatively quick way for the developer to know if their web application (web app) meets the legal requirements etc.

This page is an attempt to get that started. Therefore, it will not represent all obligations, or changes to those obligations.

Note, that UW’s central computing group, IST, has:

a web resources site, https://uwaterloo.ca/web-resources/, that presents guidelines and information for moving web pages to the university’s wcms
a web development review (web dev rev) meeting every Friday, https://uwaterloo.ca/web-resources/blog/topic/wcms-web-dev-rev, that seems to cover more of the topics that a general web developer would find useful.

The Tools

User Interface (ui)

There are several approaches and philosophies to enhancing a web ui:

Fluid web design, "…a fluid website is built on relative widths, grids and percentages. This allows the website to scale up and down fluidly,' https://blog.spinweb.net/6-beautiful-examples-of-fluid-website-design
Progressive enhancement (PE) through graceful degradation, https://en.wikipedia.org/wiki/Progressive_enhancement, using unobtrusive javaScript, https://en.wikipedia.org/wiki/Unobtrusive_JavaScript
Responsive web design, https://en.wikipedia.org/wiki/Responsive_web_design (RWD)
Single Page Application, https://en.wikipedia.org/wiki/Single-page_application (SPA).

Each has their strengths and weaknesses. For example, some issues surrounding ui and accessibility are:

extensive use of javascript to rebuild sections of the webpage doesn’t allow screenreaders to inform the user that content changed and also affects tab order
extensive use of RWD, and mobile first, can disorder screen elements, i.e. tables ['Tables, CSS Display Properties, and ARIA,' http://adrianroselli.com/2018/02/tables-css-display-properties-and-aria.html, by Adrian Roselli]
note, this field is young and as it matures hopefully, these issues will be solved.

Whichever one you choose, ensure that it satisfies the WCAG2 specification, http://www.w3.org/TR/WCAG20/. For those who are keen, here is a peak into the future, 'WCAG 2.1: What does it actually mean?,' https://frontside.io/blog/2018/06/14/what-is-new-in-wcag-2-1.html.

My approach tends toward using PE. This architecture makes accessibility easier since it relies on having solid semantic html at the core. Therefore, I look for solutions that follow this architecture.

The tools and tutorials:

Peter Jang has a introductory overview of 'Modern HTML Explained For Dinosaurs,' https://medium.com/actualize-network/modern-html-explained-for-dinosaurs-65e56af2981
Tania Rascia has a gem of a site with easy to understand introductory to intermediate tutorials - https://www.taniarascia.com/blog/ - on css, mysql, php, and jquery
'HTML 5 and ARIA Landmarks | Structure & Semantics,' https://dequeuniversity.com/assets/html/jquery-summit/html5/slides/landmarks.html
'A11ycasts with Rob Dodson,' https://www.youtube.com/playlist?list=PLNYkxOF6rcICWx0C9LVWWVqvHlYJyqw7g
ROCA: Resource-oriented Client Architecture, http://roca-style.org/:
- has a list of javascript enhancement ui libraries that still provide accessibility
Mozilla Developer Network, https://developer.mozilla.org/en-US/
W3C Link Checker, http://validator.w3.org/checklink
W3C Markup Validation Service, http://validator.w3.org/
the Web Accessibility Initiative Accessible Rich Internet Applications Suite (WAI-ARIA), https://www.w3.org/WAI/intro/aria
Revenge.css: A CSS bookmarklet that puts pink error boxes (with messages in comic sans) everywhere you write bad HTML, https://github.com/Heydon/REVENGE.CSS
Page Analytics (by Google), https://chrome.google.com/webstore/detail/page-analytics-by-google/fnbdnhhicmebfgdgglcdacdapkcihcoh, is a Chrome extension [Michael Tjendra]
to validate links, and generate statistics, Momspider, http://www.robotstxt.org/db/momspider.html
the Foundation css framework, https://foundation.zurb.com/sites/docs/
the Figuration css framework, http://figuration.org/
Unpoly.js - Unobtrusive JavaScript framework - https://unpoly.com/, may provide a solution for sites that need a SPA.

Guides:

Adam Silver’s progressive enhancement articles, https://adamsilver.io/articles/
https://maintainablecss.com - an approach to writing modular, scalable and maintainable CSS by Adam Silver

UW Common Look and Feel (clf) for web apps:

a template has been requested
typography, https://uwaterloo.ca/brand/visual-expression/typography.

Accessibility

Guides:

'The Accessibility Developer Guide,' https://www.accessibility-developer-guide.com/
'Accessibility for Teams,' https://accessibility.digital.gov/.

These css frameworks have references to online contrast checkers and summaries of how they use the ARIA attributes, etc:

the Foundation css framework’s accessibility guidelines, https://foundation.zurb.com/sites/docs/accessibility.html
the Figuration css framework’s accessibility guidelines, http://figuration.org/get-started/accessibility/

Components:

'Data Tables ,' http://inclusive-components.design/data-tables/
- the first part discusses html and aria attribute usage
- the second part examines the issues with the React javascript framework

PDFs:

what tool is available to check your pdf to ensure it is accessible?
- this would be useful for staff and writers
Chris Francis commented that the built in Adobe and Word tools are good and, "They definitely aren’t as good as the web ones. As an example, both of these fail colour contrast checking, while many of the web ones will catch it. That said, the web ones still don’t catch everything. Nothing I know of catches reading order, poor wording, or anything like someone using text as an image."
'Create and verify PDF accessibility (Acrobat Pro),' https://helpx.adobe.com/acrobat/using/create-verify-pdf-accessibility.html
PDF Accessibility Checker (PAC 3), http://www.access-for-all.ch/en/pdf-lab/pdf-accessibility-checker-pac.html
where possible, consider converting the pdf to a webpage.

Web testing:

what screenreaders
what browser plugins?
WCAG contrast checker, https://addons.mozilla.org/en-US/firefox/addon/wcag-contrast-checker/, is a Firefox add-on [Michael Tjendra]

Graham Faulkner suggestions:

a11y Project (A community-driven effort to make web accessibility easier) checkers:
- 'Web Accessibility Checklist,' https://a11yproject.com/checklist
- WAVE plugin for Chrome, http://wave.webaim.org/
- AChecker, https://achecker.ca/checker/index.php
aXe plugin for Chrome, https://chrome.google.com/webstore/detail/axe/lhdoppojpmngadmnindnejefpokejbdd
ChromeVox plugin (screen reader) for Chrome, https://chrome.google.com/webstore/detail/chromevox/kgejglhpjiefppelpmljglcjbhoiplfn?hl=en
'Tenon.io can identify 508 and WCAG 2.0 issues in any environment,' https://tenon.io/index.php
List of tools from W3C, https://www.w3.org/WAI/ER/tools/
Web Accessibility Testing Tools: Who tests the DOM?, http://www.karlgroves.com/2013/09/06/web-accessibility-testing-tools-who-tests-the-dom/
Professional Web Accessibility Auditing Made Easy – free online course from Ryerson, https://www.canvas.net/browse/ryersonu/courses/web-access-auditing
Amara Subtitling Platforms, https://amara.org/en/subtitling-platform/
NVDA screen reader for Windows, https://www.nvaccess.org/.

Security

Although focusing on php, many of the suggestions are valid for other programming languages:

'The 2018 Guide to Building Secure PHP Software - Paragon Initiative Enterprises Blog,' https://paragonie.com/blog/2017/12/2018-guide-building-secure-php-software, is an extensive and invaluable guide to securing web apps
'Using HTTP Headers to Secure Your Site,' https://blog.heroku.com/using-http-headers-to-secure-your-site, references an online header tester
Security Vulnerability Checkers - SensioLabs Security Advisories Checker, https://security.sensiolabs.org/check, checks your php libraries for known vulnerabilities using your project’s composer.json file
'Re-introducing PDO - the Right Way to Access Databases in PHP,' https://www.sitepoint.com/re-introducing-pdo-the-right-way-to-access-databases-in-php/
'Why you Should be using PHP’s PDO for Database Access,' https://code.tutsplus.com/tutorials/why-you-should-be-using-phps-pdo-for-database-access--net-12059
'Bobby Tables: A guide to preventing SQL injection,' http://bobby-tables.com/, provides examples in the most popular programming languages
The Open Web Application Security Project (OWASP) provides a comprehensive overview of most web attacks, https://www.owasp.org/index.php/Category:Attack, with some suggestions for dealing with them
'Keeping Credentials Secure in PHP,' https://websec.io/2018/06/14/Keep-Credentials-Secure.html
Web Cookies Scanner, https://webcookies.org/:
- All-in-one free web application security tool. Web application vulnerability and privacy scanner with support for HTTP cookies, Flash, HTML5 localStorage, sessionStorage, CANVAS, Supercookies, Evercookies. Includes a free SSL/TLS, HTML and HTTP vulnerability scanner and URL malware scanner.

Databases and record representations on the web:

are UUIDs useful as reference keys in datatables to assist with get url ids?

Penetration testing:

IST will test a web app
however, it is essential that other UW developers have easy and timely access to a standard penetration testing tool, so that developers can fix the basics before IST’s testing
- preferably open source
- Pat Matlock suggested Arachni, http://www.arachni-scanner.com/:
  - "Arachni is a feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of modern web applications."

Data

Managing data involves the processes that your app uses to input, massage, keep and delete data. The European Union’s General Data Protection Regulation (gdpr) has recently been introduced to protect the data of European citizen’s. [It is also useful for other countries' users as well.] I think the best summary that I have seen of how to handle data is from reddit:

[&#8211;]NiteLite
I am one of many working on GDPR compliance at our company, and I am not worried about article 5.

It is not that complicated:
a) Don't try to be sneaky, stick to the law. Tell the user what data you collect and why.
b) Don't use PII [Personally Identifiable Information] for other stuff than what you told the user.
c) Don't collect more info than you need "just in case you might need it in the future".
d) Make sure the data you collect is kept up to date.
e) Get rid of data if you no longer need it to perform the task you told the user about.
f) Make sure only authorized people have access to the data.

Here are some point by point discussions' that will give you an idea of its scope:

wrt programmers:
- 'How GDPR Will Change The Way You Develop,' https://www.smashingmagazine.com/2018/02/gdpr-for-web-developers/
- 'The GDPR & HubSpot,' https://www.hubspot.com/data-privacy/gdpr/product-readiness, shows how HubSpot, as a third party intermediary, is accommodating gdpr
wrt marketers:
- 'What You Need to Know About the GDPR in Canada,' https://www.trafficsoda.com/what-you-need-to-know-about-the-gdpr-in-canada/.

Tools for gdpr:

wrt designers:
- 'How To Protect Your Users With The Privacy By Design Framework,' https://www.smashingmagazine.com/2017/07/privacy-by-design-framework/
wrt programmers:
- 'GDPR – A Practical Guide For Developers,' https://techblog.bozho.net/gdpr-practical-guide-developers/
- 'The GDPR Compliance Checklist,' https://gdprchecklist.io/.

— MarlonAGriffith - 19 Mar 2018