accessibility in the web ecosystem

Introduction

Websites exist thanks to multiple layers of technologies where every layer is dependent on all layers below. This stack of technologies make it possible to send a website from a remote server to a users computer, and display the information in that webpage. Each layer of this stack has a highly specialized role, and attempts to misuse a layer of the stack will result in a poor user experience, heightened security risks, and poor performance. In order to show a person with disabilities a webpage and make the experience as useful as possible, it is necessary to use each layer of the technology stack for the purpose it was built.

The layers

The foundations: hardware

The technology stack's foundation is the hardware of the users computing system. There's no soft replacement for hardware, and often times the user needs a specific type of hardware, or is limited to specific types of peripherals to use their computer. For blind users, hardware includes keyboards, headphones or speakers, braille displays or embossers, and touch screens, etc. Low vision users use large monitors, some may prefer keyboards with large letters, mice, etc. Other disabilities require even more specialized hardware. Someone with neck-down paralysis or limited dexterity may use very specialized hardware, or in some cases off the shelf devices that interact with software further up the stack. For example, some users rely on speech recognition, and simply need a high quality microphone. Yet others operate there computing system with one or a couple of switches, and rely on flipping the switch with an elbow, head movement, use of one finger, etc. There have even been users with super severe paralysis who use their computer by sending morse code signals using a single finger. These users have software further up the stack which interpret the output of the switch so they can navigate the whole system with literally a single button. Eye tracking cameras are also a method used by people who have ALS, or other impairments where the eyes are the best available method of telling a computing system where they want to interact. Without hardware, all subsequent layers of the technology stack are unable to operate.

Operating system

An operating system gives multiple running programs a method of accessing hardware inputs and outputs, and provides abstractions that allow higher level technology layers to use broad classes of hardware without needing to understand the specifics of a particular device. For example, the drivers for many different types of keyboards are presented through USB or similar interfaces, and present any keyboard's inputs to the running programs in a common way. Similarly, Braille displays, (Technologies that allow blind people to read their computer screens with braille), need drivers to handle the nitty gritty details of telling a Braille display what to do, so that higher level programs can simply work with a braille display and don't have to concern themselves with how to raise 3 dots on a specific brands braille display. Operating systems, along with hardware, also handle the security of running programs, ensuring that data stored in one programs memory can't be accessed by other running programs without explicit use of data sharing methods. For example, the most fundamental component of an operating system, called the kernel, ensures that programs are fairly allocated resources on the computer according to the needs of that individual program and secures the system by ensuring the data in each program is isolated. The operating system also implements the core accessibility APIS (Application Programming interface) used to communicate key information needed by assistive technologies from other applications. This is done at the operating system level to ensure that only authorized accessibility agents can access such information, and because speedy transfer of accessibility trees and other accessibility information often needs to be as fast as possible and needs special privileges from the operating system to work at the required speeds. Remember, the only difference between most accessibility technology and spyware is that spyware tries to hide what it is doing, and does not send the data it collects to the computer user. Thus the access controls on accessibility API are incredibly important for the operating system to manage, and attempting to let applications manage these controls on their own would be highly insecure.

Application layer

The application layer is where much of the business logic is handled, and where the web browser is implemented. Applications running on an operating system may provide such services as computer vision, keyboard shortcuts, more extensive processing of user input, etc. Many assistive technologies are also implemented at this level of the stack. The application layer provides many apis for efficient development, and application development is much more secure and safer here because abstractions are provided by the operating system that ensure running programs have to work together and share resources, and ensures isolation of data between programs. While there are hundreds of applications running on the computer at any given time, each one is given a specific amount of time to do its work, then the opperating system comes in, puts that app asleep, and lets another one run for some small window of time. This is happening constantly, and to the user, it seems like microsoft word and your music app are running at the same time. In reality, microsoft word runs for a couple milleseconds, the music app runs for a couple milleseconds, etc, and once all the apps get to run, the whole process repeats. of course, in reality, its far more complicated than that, but the operating system anages sharing so every application can do its work. Assistive technologies are provided special application layer privileges like being able to talk to browsers, see the contents of the screen, etc. This is done in a secure way, with help from the operating system through special apis that only specially blessed assistive technologies can access. Finally, applications that wish to talk to each other must doo so using methods allowed by the operating system, including assistive technologies, which often get access to privileged methods of accessing information and communicating with other parts of the operating system at much faster speeds than other apps.

The web layer.

While the web layer isn't exactly a traditional layer in this stack, it's being given a layer hear because websites are very special in how they are handled. Every website is a collection of documents. These documents are loaded by what's called HTTP, or hypertext transfer protocol. These websites are loaded in with a piece of technology called a web browser. A web browser is a special piece of software that is responsible for displaying webpages, and is an incredibly complicated piece of technology. A web browser is given a site to load, and spins off an HTTP request instructing the website to send back data. Some of these data are instructions for other resources to load, including the information being presented, instructions on how to lay out this information (called stylesheets), and code that is executed to do interactive things (javascript). When the browser receives a bundle of javascript, it starts running the javascript (which is actually code that gets executed). This code is similar to other application code in many ways, in that the web browser provides apis for doing useful things, like accessing the clipboard, adding new rectangles and text to the page, hiding or showing things, showing notifications, playing music, getting the users location, etc. However, This code is quite different from other code running on the operating system in that its only able to run in a special restricted environment called a sandbox.

Sandboxes

Think of a sandbox as a kids play area with big tall fences around the whole thing and adults watching over all the children playing, to make sure they don't do anything noddy. The sandbox also only has certain toys, and the kids have to ask the adults if they want to bring any new toys in or remove anything from the sandbox. The browsers sandbox is designed so that the running code cannot do anything that isn't specifically allowed, and the list of things that are allowed is much more restrictive than applications running directly on the operating system. One particularly important piece of the sandbox model is called a cross origin policy. Webpages regularly embed functionality from other places in them. For example, the webpage may include a region to pay for a shirt on Paypal. This is included in something called an iframe, which is just a separate page embedded in a page. In order to load the payment form from paypal, paypal needs to run its own code in the page, and that code has to work with very sensitive user data, including methods to retrieve credit card information. However, if evilsite.com includes paypal's form in itself with a fake shirt, it could just grab any data from the paypal account of the user. This would include the users credit card information. It could also deface Paypal's site by adding new elements, deleting or hiding the form, or visually hiding it and then filling it out for the user. Yikes! Obviously, websites can't be allowed to do bad things like this. This is where a cross origin policy comes into play. If someone puts a frame into the webpage, the code outside that frame cannot look into it and modify it, and the code inside it is likewise prohibited from tampering with the embedding page. Effectively, the evil site is in a different sandbox from the site thats being protected, and the only notes that can be passed to other sandboxes must be taken from the kids in the sandbox by special adult handlers who check the notes first. This occurs whenever a resource comes from a third party location, which generally speaking is any site that does not share the part of the URL before the / character. Also, script running on a site is limited in what it can do with accessibility information. It cannot, for example, remediate paypal.com if paypal.com were embedded inside the site being overlayed, because that would require it to be able to see the information in the paypal site.

Accessibility Overlays are problematic

In my next article, I will explain why accessibility overlays are problematic because of how they run in the web layer, where they can do much less with actual accessibility api's.