Axe Updates: Deque releases axe-core 4.2
We’re excited to announce another big update to axe-core. Axe-core 4.2 includes 4 new rules, improved security features, bug fixes, new methods to make building solutions on top of axe-core even easier, and even a new translation.
With axe-core 4.2, we have added a Polish translation, kindly contributed by Stefan Wajda. We’ve also made our use of the words “should” and “must” more consistent, where “must” has become a term that is only used for descriptions of rules that trigger violations for WCAG 2.0 and 2.1 at level A and AA.
New Rules in axe-core 4.2
Axe-core 4.2 introduces four new rules:
- Aria-text: Axe now provides limited support for role=”text”. This non-standard role only works in Safari, and can be used to influence where VoiceOver pauses in its pronunciation. Axe-core now allows this role, and tests if their use makes focusable elements inaccessible.
- Empty-table-header: This rule reports empty table header cells for review. Empty cells in a table are clearly not headings. If a cell is intended as a heading, but there is no text in them, an accessibility issue might exist. This rule will not report violations.
- Frame-focusable-content: When frames have tabindex=”-1”, they become completely inaccessible to keyboard users. Axe will now check if there is anything operable in frames, and if so, raise an issue if the frame (or any of its parent frames) has a negative tabindex attribute.
- Nested-interactive: When interactive elements are nested, such as having a link inside a button, this can trip up screen readers and other assistive technologies. This can result in the nested element getting ignored. Axe-core now reports when such elements can cause problems.
New Security Features
It is always important to keep software up to date.
As ever, Deque is committed to improving the security of our products. The new frameMessenger API provides additional options to secure inter-frame communication. This will be available in all Deque browser extensions in a few days.
Additional improvements are planned in axe-core 4.3, which will then also allow private communication across frames in all axe APIs, including axe DevTools for NodeJS, Java, Ruby & Python, as well as axe Monitor and axe Auditor. These are expected in June 2021. If you are using axe-core directly, you will notice the new sameOrigin configuration option which, by default, only permits same-origin communication. For more details, see the API documentation.
Improvements for integrations
In addition to axe.frameMessenger, a few extra utilities were added to axe-core, which should help those building tools on top of axe-core to use stable and reliable APIs. Anyone still using underscore prefix properties such as axe._tree should migrate away, as these will be removed in the next major release.
The new axe.setup() and axe.teardown() methods prepare the DOM tree so that it can be used with axe-core commons, such as axe-core’s accessible name computation method. Normally these methods are only available while axe-core is running. These can be of use in axe plugins and other environments.
Another helper method that was added in axe-core 4.2 is axe.utils.getRule(). This method makes it easier to access different properties on axe-core’s rules, such as reading out its metadata.
Throughout the next few weeks, we will release patches for older versions of axe-core, to address some security issues there. There will be patches available for all versions of axe-core from 3.0 upward. We recommend upgrading to one of these patches immediately, and transitioning to axe-core 4.2 as soon as possible. Axe DevTools will upgrade to axe-core 4.2 in May, and axe Auditor and Monitor will upgrade in June.
Axe-core version 4.3 will come a little sooner than usual and will be focused on addressing a number of complex bugs in rules, as well as adding new options for private frame communication channels.