[whatwg] Exposing spelling/grammar suggestions in contentEditable

Cameron McCormack cam at mcc.id.au
Sun Nov 28 20:03:10 PST 2010

Charles Pritchard:
> The content within an editable area is already exposed: xhr is
> available.

That is data that the user has explicitly typed in, though.

> I understand that a 'custom' system dictionary could expose
> private data ... Just as 'suggestions' on form elements do.

Suggestions on form elements can’t be accessed by script on the page.
They only expose information that the user selects.

> What breach is enabled by using a limited spell check?

(What does “limited” mean?)

If script can programmaticaly get at the spell check results, then it
exposes whether particular words are in the user’s dictionary to that

The assertion is that it is a violation of the user’s privacy for a web
page to know whether a word is in the user’s dictionary or not.  An API
to perform spelling checks and return their results would expose this
information.  As currently handled, spelling checks are done purely at
the UI level, and information about the dictionary is not exposed to

Cameron McCormack ≝ http://mcc.id.au/

More information about the whatwg mailing list