> Edit: OK, I'm convinced; I just found a report of a use-after-free vulnerability (now fixed) in Chromium accessibility code [3]. I guess I really didn't grasp how hard this is.
Appreciate your understanding. We also understand how important this is. While we don't publicly discuss every challenge we struggle with, we're usually pretty good at finding solutions to hard but important problems. And this is clearly an important problem, and a hard one. Do hope you'll keep up the pressure on us — as well as others like Mighty, Menlo Security, and zScaler — to prioritize this. And, whatever the best solution, if we find it, we're committed to sharing it with the rest of the industry.
> we don't publicly discuss every challenge we struggle with
Of course. But that's not what I, and hundreds of thousands (or more) of other working blind people, are expecting of you. This isn't like blogging about some obscure network performance problem that the team has been struggling with. Instead, the team has been keeping decision-makers in the dark about something that's crucial for them to consider when evaluating this product. If decision-makers adopt the product without having this information about an important limitation, they may inadvertently prevent blind employees from doing their work. Even if the customer ends up making the accommodations you suggest for their blind employee(s), they currently have to be reactive about it. And in the meantime, the blind employees' productivity is disrupted, particularly if they weren't tech-savvy enough to diagnose their inability to do normal web browsing, as SLJ7 pointed out [1]. That's why Cloudflare has an obligation to publicly disclose this limitation in the product.
Also, I read just a few minutes ago that Cloudflare is partnering with Accenture Federal Services to start deploying some of your network security technology in the US federal government [2]. I know this is starting with your DNS service; so far, so good. But I'm sure you would like to offer your Browser Isolation product as well. That product is currently not in compliance with the relevant accessibility requirements for products that are sold to the federal government. I was reluctant to reach for that particular stick, but maybe it will give the team more motivation to solve this problem.
This seems a bit of a failure of communication. Let's be honest: we all know that "thanks for your suggestion, we take this very seriously!" is business speak for "yeah yeah, go away" more often than not. Even if Cloudflare is better than this (I don't know), it's still the industry average and context in which Cloudflare exists.
So if you want to show you're actually taking something serious a bit more signalling is needed. I don't think anyone really benefited that there's a team actually working on this was only communicated after this article.
naive question, but why can't you run the screen reader on the remote instance and wire key presses through? I do something similar when I need to remote desktop without using my hands - I install hunt-and-peck on the target machine, then I can say the hotkeys to bring it up and say letters to click things in the remote windows.
even if you have a crappy screen reader, it's better to throw your disabled users some kind of bone than to make them wait for some perfect solution that will never get properly funded.
I'm afraid I might be partially responsible for the lack of this work-around. In a phone conversation with the Browser Isolation product manager a few weeks before the product launch in March (but remember, well over a year after I first contacted Cloudflare about accessibility in this product), I articulated some version of the problems with a remote screen reader that I laid out in [1]. But I may not have emphasized enough that this would be better than nothing. Since it was a phone conversation and not an email exchange, I unfortunately have no record of what I said. Still, I can't take full responsibility for the fact that, to all outward appearances, they have done nothing about this problem so far.
> For blind people, TTS settings are very personal.
Is there a whitepaper that articulates concrete solutions to reconcile the myriad flavors of screen reader configurations with Browser Isolation technology?
the other issue is that while this would work for screen readers, it wouldn't work for me. I can see fine, but I'm losing the use of my arms, so I use vimium with dictation to navigate pages. they'd have to bake vimium into it as well...
...which suggests to me, why not allow approved browser extensions to run on the remote side? you could have a screen reader extension, I could have vimium, it wouldn't be great but it would be secure, and again, better than nothing.
Your suggestion is probably the correct solution technically speaking, as it funnels the screen reader I/O stream through browser APIs.
The immediate objection is that most popular screen readers (JAWS, NVDA) are native apps and not browser extensions, (some?) extension-based screen readers being immature. mwcampbell articulated it as much in a different post, asking for a native desktop client as opposed to a browser based client. Alas, 'native desktop client' is a different technology than Cloudflare RBI, subject to different tradeoffs, which may well be at odds with the goals of Cloudflare RBI as a product.
A hypothetical browser accessibility protocol is likely to prove insufficient, as native screen reader apps will themselves become an attack vector.
Unlocking the situation requires a wider industry buy-in beyond Cloudflare. Screen readers must be rearchitected with security in mind. IT departments must manage accessibility apps. Advocacy groups must commit to roadmaps that include a lot of change, and that may even degrade the status quo for many years to come. Given that existing screen reader apps have decades of engineering already poured in, it will be hard and expensive to enact change. A good early step could be creating an industry standard various entities can rally behind.
I've struggled with security vs. accessibility myself. my work won't allow my dictation software on the secure workstations we have to use, at least for the near future. they allow Dragon, but Dragon sucks for interaction and programming. companies can't just throw their hands up and say "security" though.. or at least they shouldn't. they can and do, I guess.
Appreciate your understanding. We also understand how important this is. While we don't publicly discuss every challenge we struggle with, we're usually pretty good at finding solutions to hard but important problems. And this is clearly an important problem, and a hard one. Do hope you'll keep up the pressure on us — as well as others like Mighty, Menlo Security, and zScaler — to prioritize this. And, whatever the best solution, if we find it, we're committed to sharing it with the rest of the industry.