Security and Accessibility issues (etc)

[vanderbeam]

Describe the bug

• Accessibility issues including but not limited to contrast and lack of link hover/focus indication (should be taken care of since the community it caters to tends to skew older so the risk of this causing an issue for a user is higher)
• Several CSP directive violation being reported in the console (this'll ding you on Google and could be risking an XSS attack)
• Additionally, on the map page, there is a mysterious and invisible "Home" link between "Map" and "Find my Location" in the main menu

To Reproduce

• Accessibility: Hover over external links (no hover indication occurs); for internal links, while the font colour changes, the contrast between the blue and grey is too low for anyone with low-vision to notice. While the focus outline is available, it doesn't have sufficient contrast for anyone navigating the site with a keyboard.
• Security: Review the inspector console

Expected behavior

• Accessibility: Links should have the same hover and focus indications and when hovered/focused on should also have a physical implication and not rely on colour alone (eg, text-decoration:none). Focus outline should have a 4:5 colour contrast ration against the background

[shgysk8zer0]

Hi @vanderbeam and thanks for taking the time to report all of this.

Although this site will not be particularly relevant again for several months, these issues affect many kernvalley.us sites because it's components from my CDN.

I admit accessibility is something that is important, but has been somewhat difficult for me.

For the CSP, I've been seeing some of these as well, but haven't been able to do a thing about it.

• There are errors for unsupported directives, but I'm not weakening my CSP for everyone because some browsers aren't great
• Errors may be reported for extensions, but that just means it's working
• A few sources that are not allowed that I have been completely incapable of tracing down

Did you happen to catch where the disallowed requests are coming from? I have searched everything and those requests are not made anywhere.

I'm somewhat surprised to see someone else in the KRV who's familiar with things like CSP.

[vanderbeam]

@shgysk8zer0 The CSP error will show up in a variety of ways depending on which browser I'm using and if it has extensions activated or not, but will consistently report errors and warnings for:

• object-src (warning)
• worker-src (warning)
• reflected-xss (warning, values being ignored)
• disown-opener (warning)
• script-src: onloadwff.js (error)

I can't remember which page it was on and can't seem to recreate it, but there was a request loop that put the console errors close to 200 and continuously rising in Chrome. Depending on the page, I get anywhere from 10-20 in Incognito and Firefox (no extensions on either).

It seems like some of the iframes may be another root of some of these errors, too.

While admittedly I'm quite unfamiliar with hosting with GitHub and find it a curious choice, I know there have been some CSP issues in the past. Out of curiosity, since most venues in the area appear to be relatively small and it's not exactly California's next tech hub, how come GitHub/Jekyll is the direction you went in instead of something like WordPress or Square Space that would be easy for the client to manage? Again, no disrespect - you're the first person in the area I've potentially been able to talk shop with. It's been a long time since I've even logged into GitHub so at this point I couldn't imagine using it to host my client files.

Regarding the accessibility, it's my specialty. I've been in development for almost 15 years on and off but in the last few years, I've found a passion for using those skills to ensure universal access and am in the process of becoming a certified expert. I recently moved to the community last fall and have been hoping for an opportunity to use those skills to contribute. If you have ANY questions whatsoever or would appreciate an audit on the site, let me know and I would be more than happy to help. No, I'm not trying to sell my services to you, I'm offering them.

[shgysk8zer0]

Quick answers to some questions here:

• There are no iframes anywhere
• onloadwff.js does not exist and must be from an add-on
• I use Netlify for a variety of reasons, including the fact that there is no client involved to be concerned about... Just me here

Other factors include the cell service/bandwidth issue in the area. I need sites to load reasonably quickly on even 3G and even with no service whatsoever (requires previous visit).

Go ahead and email admin@kernvalley.us and find a time to come by the Kernville Cowork sometime. There are a few devs here and it's a place to be familiar with.