[whatwg] Exposing spelling/grammar suggestions in contentEditable

Charles Pritchard chuck at jumis.com
Sun Nov 28 20:19:25 PST 2010

In thread.

On Nov 28, 2010, at 8:03 PM, Cameron McCormack <cam at mcc.id.au> wrote:

> Charles Pritchard:
>> The content within an editable area is already exposed: xhr is
>> available.
> That is data that the user has explicitly typed in, though.
Yes, that's what I meant to point out by the statement.
>> I understand that a 'custom' system dictionary could expose
>> private data ... Just as 'suggestions' on form elements do.
> Suggestions on form elements can’t be accessed by script on the page.
> They only expose information that the user selects.
Yes, that's what I meant.

>> What breach is enabled by using a limited spell check?
> (What does “limited” mean?)
> If script can programmaticaly get at the spell check results, then it
> exposes whether particular words are in the user’s dictionary to that
> page.
Limited, meaning not particular to a user's dictionary.

> The assertion is that it is a violation of the user’s privacy for a web
> page to know whether a word is in the user’s dictionary or not.  An API
> to perform spelling checks and return their results would expose this
> information.  As currently handled, spelling checks are done purely at
> the UI level, and information about the dictionary is not exposed to
> script.

Yes, and it's a valid assertion. That's why I'm looking for methods to work with that taken into account.

More information about the whatwg mailing list