[whatwg] Exposing spelling/grammar suggestions in contentEditable

Benjamin Hawkes-Lewis bhawkeslewis at googlemail.com
Sun Nov 28 23:30:12 PST 2010


On Mon, Nov 29, 2010 at 4:19 AM, Charles Pritchard <chuck at jumis.com> wrote:
>>> What breach is enabled by using a limited spell check?
>>
>> (What does “limited” mean?)
>>
>> If script can programmaticaly get at the spell check results, then it
>> exposes whether particular words are in the user’s dictionary to that
>> page.
> Limited, meaning not particular to a user's dictionary.

Breaches would include:

   1. Detecting the user's language (including fine distinctions like
British/US English).
   2. Fingerprinting the user's system. Different systems likely use
different dictionaries with different coverage. You could use
dictionary profiles to guess at the user's system (potentially down to
operating system and version).

Also your proposed limitation might well require user agents on some
platforms to implement their own dictionary service as opposed to
using platform dictionary services.

For example, say you were building a user agent for OS X. AFAICT you
can't exclude the user's dictionary when querying the system
spellchecking API:

http://developer.apple.com/library/mac/#documentation/Cocoa/Reference/ApplicationKit/Classes/NSSpellChecker_Class/Reference/Reference.html#//apple_ref/doc/uid/20000378

It would also make for a confusing user experience where the same
spellchecking UI yields different results in some web applications for
no obvious reason.

If you don't need the user's dictionary or the same spellchecking UI,
you could disable spellchecking with the "spellcheck" attribute and
roll your own over XHR/web sockets.

http://www.w3.org/TR/html5/editing.html#spelling-and-grammar-checking

--
Benjamin Hawkes-Lewis



More information about the whatwg mailing list