City of Tacoma Web Standards Last Update: 4-11-12 Revision History Date 05/31/2011 06/15/2011 06/17/2011 10/13/2011 03/14/2012 03/15/2012 March/April Name Pam Murray Pam Murray Mike Hammoud Tedd Crist Tedd Crist Tedd Crist Gail Himes Reason for change Document Creation Added comments from ADA Effective Communication Team members Added Security Standards from OWASP Top 10 Web App Risks Revisions to Accessibility Standards Revisions to Accessibility Standards to match Level AA - Cover Addition of Compliance section and language throughout document To ensure full compliance with WCAG 2.0 AA; document to include any web content purchased or supported by the City of Tacoma Version 1.1 1.1 1.1 1.1 Table of Contents 1.0 INTRODUCTION .......................................................................................................................................................3 2.0 COMPLIANCE……………………………………………………………………………………………….……….……... 3 3.0 WEB STANDARDS ..................................................................................................................................................7 3.1 3.2 3.3 3.4 HTML VALIDATION ...................................................................................................................................................7 CSS AND JAVASCRIPT SUPPORT ...............................................................................................................................6 Include on Every Page .......................................................................................................................................6 ADDITIONAL CONSIDERATIONS ..................................................................................................................................8 4.0 ACCESSIBILITY STANDARDS ...............................................................................................................................8 5.0 SECURITY POLICY ................................................................................................................................................10 2 1.0 Introduction This document provides minimum standards compliance requirements for City of Tacoma websites and applications. Web applications developed or purchased (fully or partially) by the City of Tacoma must work across a variety of computing platforms, ensure compliance with the accessibility standards outlined in this document, and adhere to City of Tacoma web security policy. There is a lot more to making sure a web application works on a user's computer than supporting a particular version of a web browser. Design choices such as using plug-ins and designing for accessibility can make a significant difference on whether the application deploys successfully to your users. This guide recommends web application development and selection strategies to ensure the application: is accessible to all users; is maintainable; can readily adapt to changing needs of users; meets applicable legal and City of Tacoma policy requirements; 2.0 Compliance A compliant City of Tacoma web site must satisfy all of the requirements as set forth in sections 3.0 – Web Standards, 4.0 - Accessibility Standards, and 5.0 – Security Standards of this document; all web content will conform to World Wide Web (W3C) Web Accessibility Initiative (WAI) Web Content Accessibility Guidelines (WCAG) 2.0 Level AA as demonstrated by the submission of a report giving the validation results using the tools noted in each of the Validation sections noted below. The Accessibility Validation report must provide the appropriate message stating that the site / page successfully meets the WCAG 2.0 Level AA compliance as provided by the tool with no messages of any level, including warnings, to be present. Proof of Conformance to W3C WAI WCAG Level 2.0 AA Site / Page Code and CSS Validation: Site / Page Code Validation (use one of the four following options): ACHECKER http://achecker.ca/checker/index.php ACHECKER is an online validation tool. This tool points out the lines of code that cause accessibility issues and provides information on how to correct the error. WAVE http://wave.webaim.org/ WAVE is an online validation tool. To use this tool navigate to the WAVE page and insert the URL of the page to be validated. This tool shows the read order and any images without alt text. Web Design Group (WDG) HTML Validator http://www.htmlhelp.com/tools/validator/ A full site or page validator for all HTML DOC types. W3C Markup http://validator.w3.org/ W3C is a Markup Validation Service tool. This tool includes options to test a URL, upload a file, or validate the direct input. Additional options allow messages to be sorted sequentially or by group. Demonstrable results: Receipt of the appropriate message stating that the site / page successfully meets the WCAG 2.0 Level AA or W3C accessibility compliance as provided by the tool with no messages of any level, including warnings. 3 CSS Validation: (use the following validator or a City approved equivalent) CSS validator: http://jigsaw.w3.org/css-validator CSS validation service. Demonstrable results: Receipt of the appropriate message stating that the site / page successfully meets the WCAG 2.0 Level AA or W3C accessibility compliance as provided by the tool with no messages of any level, including warnings Screen Reader Validation: Internet Explorer: (Use one of the two following options) NVDA - www.nvda-project.org/ WebAnywhere: - http://wa.cs.washington.edu Fire Fox: (Use this to listen to site / page with Fire Fox) Fire Vox - http://www.firevox.clcworld.net/ Demonstrable results: Clearly understood and functional (with a mouse and without the use of a mouse (mouse removed): Skip to main content link present. Alternative text present for all images. Text must convey any content including a separate descriptive page for complex pictures or tables. Clearly understood navigation link text which tells if a link is going to a new site or opening in a new window. No image path or link path is read out loud. Readable transcriptions of audio as well as audio descriptions of visually meaningful video content included for any video. Screen reader can be stopped, paused, and resumed at any point on the page. Headings, labels and links are easily discernible and describe topic or purpose and convey meaningful level of information. Labels or instructions are clearly provided in readable text form where input is required and any error message is provided in text form that can be read by the screen reader. All tables have column and row headers which describe the data in the cells and are tied to each data cell while being read by the screen reader. Any alternative audio description or text is provided so that it is heard in sync with any video presented. The page reads in a logical and meaningful sequence. No sensory dependent instructions are given such as click on red, small, or round button to stop; green, square or button in top right corner to go. Color Usage (Contrast and Distinguishable) Validation: Contrast: Site (Use one of the two following options) Snook.ca Colour Contrast Tool http://www.snook.ca/technical/colour_contrast/colour.html The color contrast tool allows a user to specify a foreground and a background color and determine if they provide enough of a contrast 'when viewed by someone having color deficits or when viewed on a black and white screen. 4 Juicy Studio’s Luminosity Colour Contrast Ratio Analyser http://juicystudio.com/services/luminositycontrastratio.php Provides a similar function to the Color Contrast Tool mentioned above. CSS (If CSS is used, use this to validate the CSS for color contrast) Juicy Studio: CSS Color Contrast Test http://juicystudio.com/services/csstest.php Web-based tool to check CSS code for appropriate contrast. Color Blindness: (use the following) Colorblind Web Page Filter (wickline), Colorblind simulator is designed to show you what your page looks like to someone with a particular form of colorblindness. Content should be readable and elements clearly able to be discerned when viewed through the filter. An example of a poor design would be a page that relies on color for information that cannot be discriminated by those with colorblindness. Demonstrable results: Ensure your site meets or exceed the requirements for contrast and color blind compliance as stated within the tool’s evaluation criteria. Please note that each tool has its own range of values and specific criteria for the site to be considered compliant. In order for a Web page to conform to WCAG 2.0, all of the following conformance requirements must be satisfied: 1. Conformance Level: The following level of conformance is met in full. Level AA: For Level AA conformance, the web page satisfies all the Level A and Level AA Success Criteria, or a Level AA conforming alternate version is provided. Note 1: Although conformance can only be achieved at the stated level, authors are encouraged to report (in their claim) any progress toward meeting success criteria from all levels beyond the achieved minimum level of conformance. Full pages: Conformance (and conformance level) is for full Web page(s) only, and cannot be achieved if part of a Web page is excluded. Note 1: For the purpose of determining conformance, alternatives to part of a page's content are considered part of the page when the alternatives can be obtained directly from the page, e.g., a long description or an alternative presentation of a video. Note 2: Authors of web pages that cannot conform due to content outside of the author's control may consider a Statement of Partial Conformance. 2. Complete processes: When a web page is one of a series of web pages presenting a process (i.e., a sequence of steps that need to be completed in order to accomplish an activity), all web pages in the process conform at the specified level or better. (Conformance is not possible at a particular level if any page in the process does not conform at that level or better.) Example: An online store has a series of pages that are used to select and purchase products. All pages in the series from selection to checkout must conform for a particular page that is part of the process to conform 5 3.0 Web Standards "Web Standards" in this section refer to the protocols and languages such as HTML, cascading style sheet (CSS), and JavaScript that are used to render a web page in a browser and any language affecting the structure, rendering, and manipulating of the page both server side or browser side. 3.1 HTML Validation HTML output must conform to one of the following HTML mark up specifications: HTML 4.01, W3C XHTML 1.0 transitional or strict document type, or W3C XHTML 1.1. (No XHTML frameset doctype). Character encoding will be UTF-8. A site may optionally use HTML 5. If the page uses HTML 5 markup, functionality must be in place to ensure that HTML 5 specific elements degrade gracefully when the page renders. A compliant site must minimally support Internet Explorer 7.0, IE7. Features targeted to IE7 usually work well in other browsers such as FireFox version 3, Google Chrome 4 or Safari, version 3.2 and above. However, browsers other than Internet Explorer are not yet formally supported by the ITD Infrastructure teams. Testing the application for cross browser and OS compatibility is a critical step in the application's development life cycle. It is recommended that web pages be tested against validators as well. A compliant site must, as a minimum, test successfully on the text-only browser Lynx; the JAWS Screen reader in Internet Explorer (Windows OS); and the VoiceOver in Safari (Mac OS). 3.2 CSS and JavaScript Support A compliant site must validate to W3C CSS 1.0 or 2.1 CSS specification. CSS should be used for visual layout. Tables should be used to present tabular data, not to facilitate visual layout. Alternative stylesheets will be developed for printers and mobile devices. A compliant site must continue to be usable when CSS is not available or turned off. A compliant site must ensure, as a minimum, that any CSS syntax used on pages works across all browsers listed in Section 3.1. Web pages shall use web safe fonts with additional consideration for mobile access. Sans-Serif web fonts are preferred. The font-family property shall be set using CSS and should hold several font names as a "fallback" system, to ensure maximum compatibility between browsers/operating systems. (Start with the desired font and end with a generic family, to let the browser pick a similar font in the generic family, if no other fonts are available. For example: p{font-family: Verdana, Geneva, sans-serif). A compliant site must provide the ability to substantially increase font size. In addition, a compliant site must ensure, as a minimum, that any JavaScript used on pages works across all browsers listed in Section 3.1. 3.3 Include on Every Page The following is required on each page: A link to the City of Tacoma’s Web Policy and Accessibility Statement A link to the City of Tacoma’s Conditions & Use A copyright notice 3.4 Additional Requirements 6 A compliant site must adhere to the following criteria: Supporting web documents such as PDF files will be stored on a network file server and streamed to the web server Databases and back end file storage will only be accessed via web services The web application will not require any browser plug-ins. Content that will be displayed on multiple web sites or pages or that is stored in a database will be served to the web site using web services. Web page images shall be saved at 72 dpi resolution. All pages shall set (as a minimum) the page title and page description metatags for search engine indexing: Web pages may be optimized for a monitor resolution of 1024x768 but shall be designed using a liquid layout that stretches well for any resolution, from 800x600 to 1280x1024. 7 4.0 Accessibility Standards Designing for accessibility means making site content available to people with a variety of disabilities. In the United States, there are more than 30 million people with disabilities who can be affected by the design of computer software. Designing or purchasing inaccessible applications, can prevent people with disabilities from fully participating in government and place the City of Tacoma at risk for legal action. Accessible applications support universal design strategies and the City of Tacoma’s web policy and accessibility statement. At a minimum, all web content must comply with Sections 504 and 508 of the Rehabilitation Act, conform to World Wide Web (W3C) Web Accessibility Initiative (WAI) Web Content Accessibility Guidelines (WCAG) 2.0 Level AA, and adhere to the following: 1. Provide alt attributes alone or, in rare cases with the longdesc attribute for meaningful images. An alt attribute is a short description of an image that a screen reader can "read" to the user. Images that don't add any meaning to the web page, such as divider lines, should have empty alt attributes: <img src="images/divider.gif" width="800" height="10" alt="" /> If an image conveys complex information, such as a graph, use a brief ALT attribute and link the image to a longer page, (but not in a new window), with an extended explanation using the longdesc attribute. The alt attribute should be sufficient to allow users to decide whether they want to follow the link given by the longdesc attribute. 2. Use headings appropriately to convey hierarchy. Use <h1> through <h6> tags for page headings, and be sure to use them in the proper order (e.g., <h1> precedes <h2>). Use CSS to style heading tags: <h1>Retirement Benefits</h1> 3. Style text with CSS rather than use images. Do not create graphics that look like text. Use text and style it with CSS instead: <h2 class="introBlurb">The City of Tacoma encourages businesses to dream big.</h2> 4. Make sure the site is readable with style sheets disabled, Images turned off, and in black and white mode. If you disable CSS, images and / or set the site to black and white the site must be readable and logical. It may be less visually appealing, but the site should not be confusing or lose information. 5. Use skip navigation links. "Skip nav" links allow users to jump to the content and skip the repetitive navigation links. You can display the skip nav link at the top of a page or use CSS to hide it until the link is active. DO NOT use display: none; to hide the skip nav link, or else it will also be hidden from screen reader users! Instead, use a negative value for margin-left to "hide" the link until it has focus. <p id="skipNav"><a href="#mainContent">Skip to Main Content</a></p> 6. Use device-independent code. Design the site for keyboard only use or mouse only use. Do not assume that a visitor will use a particular input device. The onchange, onhover, onmouseover, and onmouseout JavaScript event handlers require use of a mouse. Instead, use the onselect, onfocus, and onblur handlers, which work 8 7. with either a keyboard or mouse. The onclick handler must be used in conjunction with other link and form elements. JavaScript should have an alternate presentation. If JavaScript is used on a web page, provide the equivalent value for users who do not have JavaScript on their browsers. A common method is to add <noscript> tags immediately after the closing </script> tag. 8. Label form elements. Visually impaired people may need a screen reader to associate a form's input elements and labels. If the input elements aren't labeled appropriately, the user may complete the wrong field or be unable to access the form. <label id="name"> Name (first and last name):</label> <input type="text" id="name" value="name" size="20" /> Ensure the tab order is natural and intuitive. If the design does not allow a natural flow use the tab index to set the tab flow accordingly. 9. Caption all video and audio. Provide synchronized captions for all video and audio files. Meaningful images in videos must include an audio description to describe the video for the blind or vision impaired. 10. Don't rely on color alone to convey meaning. Convey site information using text rather than color references. Avoid instances of "Click the green button to proceed." 11. Ensure appropriate color contrast. Use one of the tools noted in the compliance section above to measure the contrast among graphics, fonts, and backgrounds on your page. Users can change the site's contrast to suit their needs when plain text is used instead of images of text (see item #3). 12. Mark up data tables correctly. Tables are reserved for tabular data, not page layouts. Designate row and column headers with <th>. Use the <thead>, <tbody> and <tfooter> tags. Use the scope or id/header attribute to associate data with the appropriate header(s). A header row must be provided for all data tables with two or more logical data levels. 13. Use descriptive text for links. Screen reading software scans a page for links and provides the list to the user. "Click here" links are useless when separated from their context. Use descriptive text such as "Explore our academic programs." 14. Identify links to PDFs, Word documents, Excel spreadsheets, etc. This is important for screen reader users, but it's also useful for sighted viewers who may not want to open another application Include the document designation in the link so that it will be read by screen readers: <a href="documents/mission.pdf">City of Tacoma Mission Statement (pdf)</a> Ensure PDF is accessible, properly tagged, booked marked and linking page has link to appropriate PDF reader. 9 15. Open off-site links in the same browser window. Modern browsers offer tabbed browsing, so a user has control over whether to open a link in a new tab or new window. By forcing an off-site link to open in a new browser window, users lose control of their navigation. Additionally, some older versions of screen reading software do not notify users when they open a new browser window. Users won't know what has happened until they try to use the "Back" button and find they can't go back. Because screen reading software can be expensive, an upgrade to a new version may not be feasible. 16. Don't use frames. If you must use them, correctly mark up frames and iframes. Frames introduce accessibility issues for many screen readers. Add title attributes to all <frame> and <iframe> tags. If you must use frames, provide equivalent content (or a link to it) within the <noframes> tags. Similarly, when you're using iframes, provide equivalent content (or a link to it) within the <iframe> tags. This allows a user to access the content directly if his/her browser doesn't support frames or iframes. 17. Give a user sufficient time to respond to timed content. When a timed response is required, alert users and give them sufficient time to respond. 18. Don't create flickering pages or multimedia. To prevent seizures among optically sensitive users, don't create any pages or multimedia that flicker between 3 to 55 times per second. Elements that flicker include: animated gifs, text that has been formatted to blink or scroll and Macromedia Flash animations. 19. Validate HTML and CSS. Code and Check for IT accessibility compliance. Test entire site for compliance (see section 2.0 Compliance of this document) and provide results to the City of Tacoma staff person in charge of this site / project. 20. Ensure City of Tacoma IT web requirements are met. 5.0 Security Standards All software on any City of Tacoma websites or on any sites hosted by the City of Tacoma shall follow secure coding practices as outlined in “A Guide to Building Secure Web Applications and Services” by the Open Web Application Security Project. This doc is available on www.OWASP.org. A compliant City of Tacoma web site must: Protect database queries from SQL injections. Detect for Cross-Site-Scripting Vulnerability, by keeping untrusted data separate from active browser content. Use a single set of strong authentication and session management controls, to prevent Broken Authentication and Session Management. 10 Have a secure configuration defined and deployed for the application, frameworks, application server, web server, database server, and platform. This includes keeping all software up to date, including all code libraries used by the application. Use secured direct object references to an internal implementation object, such as a file, directory, or database key. Use SSL to protect secure transmissions of logins and secure data. Ensure that document headers, footers, or any other portion of the document can NOT disclose a login id. For example: a document footer with f:\users\isxyz\ should not be allowed. Applications need to perform a check on URL access rights before rendering protected links and buttons, need to perform access control checks each time these pages are accessed. Use proper validation when redirecting and forwarding users to other pages and Websites. Ensure that document properties do not contain initials or the login id of the document author. Adhere to all City of Tacoma Network and Security Policies. 11