[css-pseudo-4] Preventing User Dictionary Leaks via ::spelling-error and ::grammar-error Performance Impacts#13399
Open
[css-pseudo-4] Preventing User Dictionary Leaks via ::spelling-error and ::grammar-error Performance Impacts#13399
Conversation
…rror CSS Pseudo-Elements For details see: https://explainers-by-googlers.github.io/user-dictionary-leaks/
arichiv
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This proposal adds a new security concern to the section on ::spelling-error and ::grammar-error.
Although direct indicators of the ::spelling-error and ::grammar-error cannot be extracted, it’s possible to extract indirect information from browsers without rate limits on the application of these hints. In Chrome and Firefox, it’s possible to have an autofocused text area cycle programmatically through a series of misspelled words, and for the site to monitor indicators of rendering performance to notice when hints are applied. This allows sites (or their third-party embeds) to detect which words are or aren’t in the user’s dictionary, which could leak sensitive information stored there (for example, their contacts’ names). Safari already has rate limits in place which only check for and apply hints once per user interaction with the text field (e.g., a key input or click).
For details see: https://explainers-by-googlers.github.io/user-dictionary-leaks/
This just shipped for Chrome, and has been in Safari for quite some time.
w3ctag/design-reviews#1148
WebKit/standards-positions#546
mozilla/standards-positions#1294