[csswg-drafts] Pull Request: [css-spec-shortname-1] Preventing User Dictionary Leaks via ::spelling-error and ::grammar-error Performance Impacts from Ari Chivukula via GitHub on 2026-01-26 (public-css-archive@w3.org from January 2026)

From: Ari Chivukula via GitHub <noreply@w3.org>
Date: Mon, 26 Jan 2026 18:44:34 +0000
To: public-css-archive@w3.org
Message-ID: <pull_request.opened-3211634314-1769453070-noreply@w3.org>

arichiv has just submitted a new pull request for https://github.com/w3c/csswg-drafts:

== [css-spec-shortname-1] Preventing User Dictionary Leaks via ::spelling-error and ::grammar-error Performance Impacts ==
Although direct indicators of the ::spelling-error and ::grammar-error cannot be extracted, it’s possible to extract indirect information from browsers without rate limits on the application of these hints. In Chrome and Firefox, it’s possible to have an [autofocused](https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Global_attributes/autofocus) text area cycle programmatically through a series of misspelled words, and for the site to monitor indicators of rendering performance to notice when hints are applied. This allows sites (or their third-party embeds) to detect which words are or aren’t in the user’s dictionary, which could leak sensitive information stored there (for example, their contacts’ names). Safari already has rate limits in place which only check for and apply hints once per user interaction with the text field (e.g., a key input or click).

For details see: https://explainers-by-googlers.github.io/user-dictionary-leaks/


See https://github.com/w3c/csswg-drafts/pull/13399


-- 
Sent via github-notify-ml as configured in https://github.com/w3c/github-notify-ml-config

Received on Monday, 26 January 2026 18:44:34 UTC