Re: exposing underlining mechanism for IME?

On Sat, Nov 7, 2015 at 7:43 PM, David Young <dyoung@pobox.com> wrote:

> On Fri, Nov 06, 2015 at 07:40:03PM +0100, Johannes Wilm wrote:
> > thickness, color and backgroundColor are the values used in the browser
> > code for markers. I didn't see foreground color. So unless there is some
> > other code somewhere else that I haven't seen, those three properties
> seem
> > to cover everything browsers need to do for IME marking as of November
> > 2015. :)
>
> My thinking is, "Is this 'marker' some new DOM entity?" and "Who knows
> what marker properties tomorrow will bring."
>

The markers as we have them today are not to be found in the DOm, I believe.


>
> > On Fri, Nov 6, 2015 at 7:18 PM, David Young <dyoung@pobox.com> wrote:
> > > What if, instead, there was an API
> > > function that returned the CSS property-value pairs for a composition
> > > candidate---getCompositionStyle()?  The the editor could apply the
> > > style, modify it, or ignore it, according to the author's preference.
> >
> > Well, first of all it is really hard for us to underline part of a text
> > node using only CSS.
>
> Seems like an editor can enclose the range in a <span> styled
> 'text-decoration: underline'?
>

Yes, but at that stage it is no longer a partial text node.


>
> > Secondly, we often run into security issues.
>
> I think the problem you're concerned about is browser fingerprinting?
> Couldn't you also use timing of addCompositionMarker() to fingerprint?
>

Timing because it takes longer to draw a thick black line rather than a
yellow background (for example)? Or how do you mean?



> Can't you render HTML to a Canvas, serialize the Canvas, and look
> for the signature of an IME marker in it?  I suspect that there's an
> infinite regress of issues here, and we're going to be stuck if we have
> to quiet every security concern before we've built a single satisfactory
> editor.
>

Have you been able to get access to information about the IME using
JavaScript?

This proposal would only concern contenteditable, not canvas or other
elements. And because the markers is not part of the DOM, I don't think
there is any way to get it into a canvas, is there?


> Thinking more about privacy in this context: won't the editor content
> itself going to be *quite* revealing about the user/browser identity?
>
> Furthermore, even from the timing between editing events, you could
> probably tell a great deal about a user.  Why, some of us have keyboard
> "tics" (think "head scratching" or "beard stroking," only your hands
> are idling fiddling with the keyboard/cursor/editor) that would
> quickly identify us, even if timing information was unavailable to
> JavaScript.  (Is there any way for the paranoid to withhold a timebase
> from JavaScript?)
>

I tend to think similar to you about a lot of this. However, the browser
people generally seem to think that the browsers should not give extra
information about the user of any kind to the JS.


>
> Dave
>
> --
> David Young
> dyoung@pobox.com    Urbana, IL    (217) 721-9981
>
>


-- 
Johannes Wilm
Fidus Writer
http://www.fiduswriter.org

Received on Saturday, 7 November 2015 19:10:48 UTC