- From: Florian Rivoal via GitHub <noreply@w3.org>
- Date: Mon, 23 Feb 2026 02:47:03 +0000
- To: public-css-archive@w3.org
frivoal has just labeled a pull request from arichiv for https://github.com/w3c/csswg-drafts as "css-pseudo-4": == [css-pseudo-4] Preventing User Dictionary Leaks via ::spelling-error and ::grammar-error Performance Impacts == This proposal adds a new security concern to the section on ::spelling-error and ::grammar-error. Although direct indicators of the ::spelling-error and ::grammar-error cannot be extracted, it’s possible to extract indirect information from browsers without rate limits on the application of these hints. In Chrome and Firefox, it’s possible to have an [autofocused](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Global_attributes/autofocus) text area cycle programmatically through a series of misspelled words, and for the site to monitor indicators of rendering performance to notice when hints are applied. This allows sites (or their third-party embeds) to detect which words are or aren’t in the user’s dictionary, which could leak sensitive information stored there (for example, their contacts’ names). Safari already has rate limits in place which only check for and apply hints once per user interaction with the text field (e.g., a key input or click). For details see: https://explainers-by-googlers.github.io/user-dictionary-leaks/ This just shipped for Chrome, and has been in Safari for quite some time. https://github.com/w3ctag/design-reviews/issues/1148 https://github.com/WebKit/standards-positions/issues/546 https://github.com/mozilla/standards-positions/issues/1294 See https://github.com/w3c/csswg-drafts/pull/13399 -- Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config
Received on Monday, 23 February 2026 02:47:04 UTC